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ConnectX QDR 40Gbp/s Infiniband w/QSFP Connector. The iXR-22X4 IB is 
perfect for high-powered computing, virtualization, or business intelligence 
applications that require the computing power of the Intel® Xeon® Processor 
E5-2600 Family and the high throughput of Infiniband. 
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eargeaders, 
he September issue of BSD Magazine is dedicated 
to day-to-day BSD administration with the use of 
MidnightBSD custom installations and Live CDs, BSD 
server maintenance, directory encryption using PEFS 
and much more. 

We start with Rob's column, where he discusses the 
future of Microsoft, the industry giant. 

System administrators and hobbyists often wish to build 
custom install media with their own software packages, 
or live CDs for fixing systems. In the What’s New section, 
Lucas Holt explores MidnightBSD custom installations 
and live CDs. 

Many sites and handbooks explain how to install servers, 
but once a server is running, can an administrator keep 
it that way? The “BSD Server Maintenance’ article by 
Devyn Collier Johnson will cover the basics of maintaining 
a BSD server. 

Then you will have the chance to read Patrick Allen's 
article entitled “Re-purposing an Abandoned Mac Mini as 
a Wireless Router with OpenBSD”, where he will try to 
bring abandoned hardware into the present with OpenBSD. 

Next, by reading Antonio Francesco Gentile’s article 
called “Monit — Monitoring Solution for Enterprise and 
SOHO Servers with FreeBSD”, you will learn how to set 
up and manage a monitoring server based on monit. 

In the Admin section, Rob Somerville presents the 
eighth part of our series on programming — “FreeBSD 
Programming Primer”, where we will refine our jQuery 
menu and start building a user friendly interface to add 
content. 

Then, Kris Moore talks a bit about Directory encryption 
using PEFS in the second part of his “A Closer Look at 
the Changes in PC-BSD/TrueOS 9.2” series. 

After that, Carlos Antonio Neira Bustos talks about the 
Z file system in his “Intro to ZFS” article. 

Finally, Angel Leon shows you the caveats of deploying 
FreeBSD over XenServer and the advantages over the 
traditional schema in improving administration, provisioning 
and delivery times. 


We hope you will enjoy this issue and find many 
interesting articles! 


Kamil Sobieraj 
Editor of BSD Magazine 
& BSD Team 
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Let’s Talk 


OGIt’s Lonely at the Top 

By Rob Somerville 
With the imminent departure of Steve Ballmer and 
Microsoft insiders adamant that Bill Gates will not return, 
what is the future for the industry giant? 


What’s New 


OSMidnightBSD Custom Installations and 

Live CDs 

By Lucas Holt 
System administrators and hobbyists often wish to build 
custom install media with their own software packages, 
or live CDs for fixing systems. This flexibility can ease 
deployments in large environments or make it easy to 
bring your favorite OS along with you. Before customizing 
install media, it's important to look at the existing build 
system in MidnightBSD. There are two directories within 
the source tree for building media, release and nrelease. 
Release is used to build installation media, and nrelease 
(which originated from DragonFly BSD) is used to build 
Live CDs and USB flash media. 


4OBSD Server Maintenance 


By Devyn Collier Johnson 
Many sites and handbooks explain how to install servers, 
but once a server is running, can an administrator keep it 
that way? This article will cover the basics of maintaining 
a BSD server. 


1S Re-purposing an Abandoned Mac Mini 
as a Wireless Router with OpenBSD 
By Patrick Allen 
Don’t let thousands of dollars worth of hardware that 
has been abandoned by Apple rot with old, unsupported 
software. Bring it into the present with OpenBSD. 


= = Monit - Monitoring Solution for 
Enterprise and SOHO Servers with 
FreeBSD 
By Antonio Francesco Gentile 
The state of the network services offered by a company 
is the business card with which it presents itself to the 
world. Thanks to constant monitoring, it is possible to 
understand how and where to improve the infrastructure 
of the network in real time and detect any abnormalities. 
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= SFreeBSD Programming Primer — Part 8 
By Rob Somerville 

In the eighth part of our series on programming, we will 

refine our JQuery menu and start building a user friendly 

interface to add content. 


344A Closer Look at the Changes in 
PC-BSD/TrueOS 9.2 — Part 2 — Directory 
Encryption Using PEFS 
By Kris Moore 
Last month we took a look at how PC-BSD is implementing 
ZFS boot-environments, which can be a life-saver for 
both servers and desktops. This month we will be looking 
at how PC-BSD uses the PEFS kernel level file system 
module to automatically encrypt your home directory and 
its contents, and how you can manually run PEFS for 
other sensitive data. 


= 8 Intro to ZFS 


By Carlos Antonio Neira Bustos 

“The Z file system, originally developed by Sun™, is 
designed to use a pooled storage method in that space 
is only used as it is needed for data storage. It is also 
designed for maximum data integrity, Supporting data 
snapshots, multiple copies, and data checksums. It uses 
a software data replication model, known as RAID-Z. 
RAID-Z provides redundancy similar to hardware RAID, 
but is designed to prevent data write corruption and to 
overcome some of the limitations of hardware RAID.” 


412 FreeBSD on XenServer 


Angel Leon 
In this article, we will learn the caveats of deploying 
FreeBSD over XenServer and the advantages over the 
traditional schema in improving administration, provisioning 
and delivery times. 


BSD : 


MAGAZINE 


LET’S TALK 


It’s Lonely 
at the Top 


With the imminent departure of Steve Ballmer and Microsoft 
insiders adamant that Bill Gates will not return, what is the future 


for the industry giant? 


large public owned organisation. On saying good- 

bye to his predecessor, he was handed 3 sequen- 
tially marked envelopes and advised to open each in turn 
when faced with a crisis. After an initial honeymoon pe- 
riod, sales were down so the first envelope was opened 
which said “Blame your predecessor”. This worked for a 
while, until another major crisis arose, so the second en- 
velope was opened which said “Reorganise”. The CEO 
duly performed root and branch reform from remote site to 
corporate headquarters and this strategy seemed to work 
until another crisis emerged. On opening the third enve- 
lope, the CEO was greeted with the message “Prepare 3 
envelopes’. 

While there is no suggestion that Steve Ballmer was 
pushed out of the role (he is retiring), the above anec- 
dote illustrates well the challenges of being a CEO of a 
major technological blue chip. You can please some of 
the people some of the time, but rarely all at the same 
time. It seems that the Microsoft Corporation (NASDAQ: 
MSFT) is at a critical juncture both from the long term vi- 
sion point of view and via strong competition in the sec- 
tor. Looking back to Bill Gates’ tenure, the organisation 
switched directions from being led by a technologist to 
being led by a marketeer. No doubt this made sense at 
the time, with the increasing move towards software be- 
coming just “another consumer commodity”. However, 
very much like Apple losing focus with the departure of 
Steve Jobs in 1985 and its subsequent rebirth upon his 
return, the strategy of running a technology company 
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by a non-technologist poses some interesting questions 
about corporate identity and its relationship to the mar- 
ketplace. As the goal of any public corporation is to make 
as much money as possible for the shareholders, surely 
logic would dictate that a marketing/sales focused CEO 
would be the best candidate? Or maybe a banker or law- 
yer would be better. To the cynical, major organisations 
can be run by any discipline, as facilitating any effective 
change over the short to medium term is close to impos- 
sible due to cultural inertia 
and the sheer complexity of 
the business. The age old 
conundrum of what lead- 
ership model to follow is AA 
key; centralisation versus 
decentralisation? One 
large behemoth or lots 
of small divisions? 
Benevolent dictator 
or autonomy? Corpo- 
rate clone or individu- 
al creativity? The per- 
mutations are endless, 
as history inevitability 
repeats itself under 
each new leader. 

What is clear is that 
the original MSFT Lid 
Le Sw 
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vision of innovation is becoming decidedly threadbare. 
The pressure to drain every last profitable cent from the 
product is moving the market towards Software as a Ser- 
vice (SaaS). This might be fine for enterprises, but renting 
software will only remain a growing trend until the ever 
increasing pressure of vendor lock-in and the long term 
financial and security risk is realised by the customer. 
The big problem with renting anything (especially from an 
effective monopoly) is that they can easily dictate mar- 
ket price at a whim. At least if you own it (as far as you 
can own a software licence) you have a physical product 
until end-of-life. It is ironic that we have come full circle 
from the 1970's where enterprises rented processing ona 
time-share basis. This is a very different reality from build- 
ing a company through innovation, aggressive acquisition 
and then branding the now ex-competitors’ products as 
your own. The disconnect is even clearer as Bill Gates’ 
vision of a computer on every desktop — a revolutionary 
idea at the time — has been such a clear success. MSFT 
is the dominant alpha male, effectively the industry stan- 
dard whether in the enterprise or in the home. All of this 
is set to change with the rapidly growing mobile and tab- 
let market, areas traditionally where MSFT has performed 
poorly. Time and again, the corporation has tried to gain 
an elusive foothold in alternative sectors without the obvi- 
ous success it had in the 80's and 90’s — Bing and Nokia 
being good examples. 
In the past, MSFT managed to main- 
tain pre-eminence with a simultane- 
ous pincer attack on the enterprise 
and the consumer markets. This is 
now becoming much more asym- 
metrical, with MSFT holding its 
own in the corporate world and 
the consumer turning towards 
Apple and Android. The ques- 
tion is what will happen when 
XP finally turns end of life in 
2014. Will the consumer stay 
with Microsoft or decide to invest in alternatives? With 
XP holding an estimated market share of 40%, that is a 
lot of legacy software — and the cool enterprise reception 
to Windows 8 suggests Windows 7 will become the next 
consumer haven. With rumours of an aggressive devel- 
opment cycle for Windows 9, all this may change, but it is 
unthinkable that the user interface will change dramati- 
cally from the tablet-focused model. So in the 
short term at least, MS has hedged their 
bets should their traditional domestic user 
base reject Windows 8 or 9 in a Vista-like 
fashion. Another variable is whether the 
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consumer market will choose to upgrade their desktop PC 
or move towards tablets. This further plays into the hands 
of other players (e.g. Google docs) and weakens another 
traditional cash cow — Microsoft Office. 

Whoever leads up MSFT, it will be during a very turbu- 
lent and challenging time in the technology marketplace. 
lf SaaS and the cloud continues its meteoric rise in pop- 
ularity, the drift away from traditional licensing/purchase 
models will become a stampede. This is where MS faces 
a huge challenge — while it might be able to get away with 
charging the corporate customer, anyone can easily sub- 
scribe to free services like CloudOn, that offers MS Office 
on a tablet under a freemium pricing model — free to the 
majority, pay for premium services. Traditionally, the MS 
business model would be to purchase competitors and in- 
tegrate, but how would they monetize this? Start charging 
and the user base will just move to Google docs unless 
they are totally locked into Office. 

Microsoft needs to get back to its roots and decide what 
business model it wants to follow. As a technology com- 
pany, they need a killer app, a widely adopted O/S across 
different platforms, and a revolutionary and exciting vi- 
sion. As a service provider, they need to focus on the en- 
terprise, especially in the area of Bring Your Own Device 
(BYOD) and solution/support provision. If they choose 
both, a fragmentation of the organisation seems inevita- 
ble, as the profit from traditional licensing models is evap- 
orating and the business models are so vastly different. 
Could it be that MSFT is going the well trodden path of 
IBM, HP and Blackberry — too big and too slow to respond 
to a rapidly changing marketplace and consequently los- 
ing their onward inertia? Unless the new CEO can pull a 
rabbit out of the hat, the three envelope scenario looks in- 
creasingly likely sometime in the future. It’s not only very 
lonely at the top, but very tough as well. 


ROB SOMERVILLE 

Rob Somerville has been passionate about technology since his ear- 
ly teens. A keen advocate of open systems since the mid eighties, he 
has worked in many corporate sectors including finance, automotive, 
airlines, government and media in a variety of roles from technical 
support, system administrator, developer, systems integrator and IT 
manager. He has moved on from CP/M and nixie tubes but keeps a 
soldering iron handy just in case. 
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WHAT’S NEW 


MidnightBSD Custom 
Installations and Live CDs 


System administrators and hobbyists often wish to build 
custom install media with their own software packages, 

or live CDs for fixing systems. This flexibility can ease 
deployments in large environments or make it easy to bring 


your favorite OS along with you. 


What you will learn... 
¢ how to create a live CD & flash media 
¢ how to create custom install CDs 


at the existing build system in MidnightBSD. There 

are two directories within the source tree for building 
media, release and nrelease. Release is used to build instal- 
lation media, and nrelease (which originated from DragonFly 
BSD) is used to build Live CDs and USB flash media. 


» rior to customizing install media, it's important to look 


Customizing Installation Media 

Building a custom install image is helpful for system admin- 
istrators when they need to replicate installations with the 
same configuration on multiple systems. The installation 
media can be given to technical support staff to install on 
desktops and servers throughout the organization. It also 
provides the benefit of a consistent install across machines, 
reducing maintenance headaches. In addition to custom- 
izing partitioning and packages, the sysadmin can build a 
custom kernel for the installation media with specific fea- 
tures enabled or disabled. Turning off unneeded features 
can improve security and performance. Another advantage 
with customizing install media is one can build the base sys- 
tem without specific features — such as games or services 
— for use on desktop systems. This limits what end users 
can do in a lab or other restricted computing environment. In 
server environments, it may be advised to disable Sendmail 
or BIND software when using other packages for mail and 
DNS services. Custom installation scripts can be added to 
install additional packages or do custom post configuration 
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What you should know... 


¢ how to build world, kernels and install packages using mport 


tasks on installed services, similar to the standard firstboot 
script included in MidnightBSD’s rc.d. 


Why create a Live CD? 

Live CDs and flash boot media can be useful to demo 
MidnightBSD to friends or to fix damaged installations. 
The MidnightBSD release CD in 0.4 has a simple live 
CD repair mode, but it has a limited set of tools available. 
By building a custom CD, one can include tools such as 
fusefs for working with extra file systems, partitioning soft- 
ware beyond gpart’s functionality or other custom packag- 
es for network security. Antivirus software could be used 
to scan infected machines on the network. Network scan- 
ners and other network security tools could be used to 
review network security from a trusted portable environ- 
ment. It is also possible to create a custom live CD that 
imitates a full desktop environment and then create cus- 
tom installation media to copy the entire environment to a 
local hard drive after testing on the system. Live CDs can 
even be used to test MidnightBSD on laptops at stores 
prior to purchase to ensure they're going to work, includ- 
ing testing X.org on the video card and verifying sound 
and networking are detected. 


Creating a Live CD 


Creating a CD requires building the world and kernel, and 
then using DragonFly’s nrelease architecture. After running 
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MidnightBSD Custom Installations and Live CDs 


the realquickrel target, an ISO file will be located at 


jusr/release/mbsd.is8o0. 


Listing 1. Create a Live CD 


+ Build a live CD on 0.3 or 0.4, assumes CVS checkoue 
cd /usr/src && make buildworld buildkernel 


cd /usr/src/nrelease && make realquickrel 


Customizing Live CDs 

To customize a live CD, modify the contents of /usr/src/ 

nrelease/root. Make any relevant configuration changes 

to etc files. These are copied into the staged directory. 
Install packages from mports or using packages from the 

FTP server into the destination environment. This proce- 

dure assumes one is using MidnightBSD 0.4-RELEASE. 


° Cd /usr/src; Make buildworld 

¢ make buildkernel 

¢* cdnrelease 

¢ make buildiso 

e mkdir /usr/release/root/usr/mports 

° Cd /usr/release/root/usr; mount_nullfs /usr/mports 
mMports; cd .. 

¢ mport install <package name> # repeat aS necessary 
for each package to install 

¢ umount /usr/mports 

° Cd /usr/src/nrelease; make buildiso2 

¢ make mkiso 


lf you wish to use locally generated packages rather 
than files from the MidnightBSD FTP, use /usr/libexec/ 
mport.install to install local packages. This will require 
a full path to the package. 


Creating a USB Flash Environment 

Creating a flash image for MidnightBSD 0.4 can be do- 
ne in a similar manner to the Live CD or using the new 
memstick target in src/release/Makefile. One could cus- 
tomize the contents of /usr/re1 prior to using the mem- 
stick target to create custom media. For further examples 
of creating a flash drive using the older Live CD method, 
consult the MidnightBSD wiki. 


Listing 2. Copying the Flash Image to Media 


# (assumes flash is /dev/da0) 


dd if=S{imgoutfile} of=/dev/da0 bs=1m 


Customizing Installation Media 
To build MidnightBSD releases, start by setting up a fresh 
machine with the same version of the OS. Normally, we 
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On the Web 


http://www.midnightbsd.org/ — MidnightBSD Project website 
http://www.midnightbsd.org/wiki/FlashDriveBoot — MidnightBSD 
wiki on Flash Boot. 


pull it from source, run the regular buildworld, buildkernel, 
installkernel, reboot, installworld, and mergemaster steps. 
Assuming you have already run buildworld and buildker- 
nel, you can Cd /usr/src/release. From the release direc- 
tory, you will find a Makefile with several targets and envi- 
ronment settings. 


Bsdinstall is the future 

With 0.4-RELEASE, we adopted FreeBSD’s bsdinstall 
based installation mechanism. Rather than place all the 
logic in one massive program like sysinstall, the installer 
is a series of simple programs and scripts. This creates 
flexibility in adding new install steps to the process and 
makes the firstboot script unnecessary. 


Including Packages 

As 0.4 includes a Live CD like workflow, it would be pos- 
sible to generate an index.db file for the packages one 
wishes to include on the CD, place it in the installation me- 
dia in /var/db/mport and include packages on the instal- 
lation media. Then, install the packages using a script with 
calls to /usr/libexec/mport.install. The only caveat to 
this approach is that mport is designed to check automati- 
cally for updated index files on some operations. mport.in- 
stall will not do this. The SQLite index.db file contains the 
URLs for mirror sites and could be modified to use local 
internal servers. It might be wise to modify the bootstrap 
URL in the libmport source code to point to your own mir- 
ror so a client does not fetch an index from the main Mid- 
nightBSD mirror for private installations of this type. 


Summary 

Building custom installation media can be useful for de- 
ploying MidnightBSD on a large number of systems in 
the same manner. Live CDs and flash media allow one 
to bring a custom MidnightBSD install with them or create 
rescue media for recovering damaged systems. 

Using the makefiles in nrelease or release directories 
within a checked out copy of MidnightBSD sources allow 
you to build custom media. 


LUCAS HOLT 
Lucas Holt is the founder of the MidnightBSD project and a Senior Application 
Programmer/Analyst for the University of Michigan in Ann Arbor, MI, USA. 
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BSD Server 


Maintenance 


Many sites and handbooks explain how to install servers, 
but once a server is running, can an administrator keep it 
that way? This article will cover the basics of maintaining a 


BSD server. 


What you will learn... 

¢« How to maintain any BSD server. 

« Some basic rules of server maintenance. 

« Some helpful shell commands. 

¢ The crucial importance of logs. 

- Backing up BSD servers. 

¢ Security. 

¢ Finding problems. 

« Some basic information that will help prep admins for their BSD 
and/or LPI certifications 


any server administrators may understand how 
\/ to set up a FreeBSD server, but once it is up, 
can they keep it running? Many companies may 
store business transactions on servers like stock lists and 
item prices. If the server(s) goes down, a part of or the 
entire company is unable to continue or perform well until 
the server is back up. Also, if the server is used to host a 
website that sells products, customers cannot make pur- 
chases until the server is fixed. This means that the com- 
pany loses money until the server is back online. If the 
data is lost, this means the company loses more profits. 
Clearly, it is important to keep the servers healthy and the 
data safe and secure. 
When dealing with servers, the two most important di- 
rectories that all administrators should thoroughly under- 
stand and learn are /etc/ and /var/. 


NOTE 

| am using FreeBSD v9.1 for my descriptions and exam- 
ples, but this article is valid for any BSD distro and many 
Linux/Unix operating systems. 
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What you should know... 

« Basic shell commands. 

« Basic network concepts. 

« Understanding of BSD and Unix systems. 

« General idea of the different server services and daemons. 


NOTE 
This article will not discuss how to install a server. It will 
only explain server maintenance and protection. 


Logs 

When maintaining a server, it is best to prevent issues be- 
fore problems arise. Thankfully, many servers have a log 
system. Most applications/services have a log that lists 
the software’s status and errors. When an error is spotted, 
the administrator should take the time to investigate and 
prevent future disasters. 

Logs are stored in /var/. The logs are given names that 
easily identify their content or purpose. For example, the 
Samba log would be /var/log/smb.log. Some applica- 
tions (rarely) store logs in the current user’s home folder. 
lf a log cannot be found, check in Root’s home folder or 
read the application’s manual for the log location. 

lf the HTTP services are having specific issues and the 
IT tech does not want to spend a lot of time searching 
through the Apache log, then the tech can do a specific 
search like below. 
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REMOVED 
"e NEED FOR. 


MANUAL AUDIT 9 


CISCO SYSTEMS INC. 


Titaniass award winning Nipper Studio configuration 
auditing tool is helping security consultants and end- 
user organizations worldwide improve their network 
security. Its reports are more detailed than those typically 
produced by scanners, enabling you to maintain a higher 
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grep SOME ISSUE TO SEARCH /var/log/httpd-error.log 


For example, when searching for a connection error, 
search for words like “connection”, “failed”, “404°” (HTTP 
connection error number), and other similar terms. 

A server maintainer may use a command like the above 
to search the boot-up logs for lines containing the word 
“Ethernet” when there appears to be an Ethernet issue. 
There is a command specifically for viewing the boot-up 
log seen below. The command below displays the con- 
tents of /var/run/dmesg.boot. 


dmesg -a | less 


This command will allow the administrator to scroll 
through the boot messages. When searching for entries 
concerning the USB system, for instance, try the below 
command. 


dmesg -a | grep usb 


It is important to occasionally browse the output of the 
dmesg COMmand, because sometimes errors may start 
occurring with the hardware or boot-up process. If the 
server has problems booting up, the network's or com- 
pany’s performance may suffer. 


Paper Logs 

It is best to keep a physical log in the server room or some 
other secure storage location. This log should include a 
list of all files changed, software installed, and hardware 
repaired along with answers to the following questions — 
who, what, why, when, where, and how. 


Who 

It helps to keep a written record of all IT techs that have 
dealt with the server. This helps keep track of all who may 
be aware of an error. Assume the server is having errors 
with the NTP services again. If Bill, the IT tech, was the 
last one to fix it, it may be best to have Bill check the is- 
sue again since he is familiar with it or to ask Bill for sug- 
gestions. If the server always tends to break after Andrew 
makes changes to the server, it may be best to investigate 
the issue. 


What 

IT techs may find it helpful to keep track of what other 
techs are fixing. If there is a network connection issue 
and the Ethernet devices have already been replaced a 
few times, then it may be safe to assume the problem lies 
somewhere else. Also, if the reason techs are checking 
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the server is because of reports of Samba issues, then 
the Samba services probably need to be completely re- 
installed (remove /usr/local/samba and run pkg add -r 
samba35). 


Why 

Knowing why a particular software or hardware is being 
updated, repaired, and so on, may help narrow down fu- 
ture issue origins when finding the source of an error. For 
illustration, if Bill reinstalled the NIS services because 
they repeatedly locked up, then Casey knows that anoth- 
er reinstallation will not fix the same issue that is occurring 
the next day. 


When 

The time errors occur or when they were fixed can assist 
some techs. For example, if the server is always powered 
up at 5:00am and syslogd crashes at 5:03 am everyday, 
then most likely a service is starting up that conflicts with 
syslogd. This would then point to the cron tables, at tables, 
Or /etc/rc” scripts (some BSD systems structure their rc 
system differently). Any process that starts at 5:03am or 
a little before may be causing the crash. As another ex- 
ample, if the last backup was performed a week earlier, 
then the tech looking over the paper log should perform 
a backup or assign the task to someone else. This time 
log would also keep administrators from ruling out causes 
that are indeed the cause. For instance, assume the serv- 
er has a virus. The virus scanner is not finding the virus for 
some unknown reason. If the tech sees that the last anti- 
virus update was three months ago, then the tech has a 
good assumption that updating the anti-virus definitions 
will enable the scanner to find and remove the virus. Oth- 
erwise, the tech will falsely assume the scanner is up-to- 
date and waste precious time looking elsewhere for the fix 
for the problem. 


Where 

This may not be a very useful piece of information, but 
it may help in some instances. This would answer “from 
where was the server managed/fixed?” Servers can be 
fixed or repaired locally, remotely via secure shell (SSH), 
or other methods. If there are suspicions that the server is 
being hacked from a certain IP address, but it is later seen 
that the log states Andrew proof-read Bill’s /etc/re. conf 
edits through a remote shell using the suspicious IP ad- 
dress, then we can rule out that address. 


How 


This is an important piece of information. How was the 
problem fixed and diagnosed? Was the DNS server's 
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hard-drive replaced or reformatted? What command was 
used? This helps future problems get repaired the right 
way (if it worked) or differently if the issue still persists. 
This also helps to inform other techs what has already 
been done and tried with the server. 

Also, when making such logs, include which server (if 
there are more than one) and which OS (if the server is set 
up for a dual-boot or virtual system). It may help to have 
a separate file for each server. A log containing errors for 
an unsolvable issue should be printed out for future refer- 
ence just in case the server loses its files. It will be more 
difficult to fix an issue if the logs cannot be viewed. 


Finding Problems 

lf users report that they cannot access files or informa- 
tion, then it may be wise to rule out aS many issues as 
possible. 

On some of the workstations, type ping <SERVER IP_ 
ADDRESS>. If the ping fails, then this proves the problem 
lies in the network connection. To help better pin-point the 
problem area, type traceroute <SERVER IP ADDRESS>. This 
command will print each location between the workstation 
and server. If the connection stops at a router, then the 
router or the devices before or after the router may be the 
cause of the connection error. If the connection is fine, the 
last stop should be the server. 

Once it has been proven that the network is fine, it may 
mean the server itself is the source of the problem. If the 
inaccessible files are accessed via FTP, then the adminis- 
trator may want to make sure the FTP process is still run- 
ning. In a command-line, type: 


pgrep ftpd 


lf the FTP daemon is running, the administrator should 
get a number (the PID) as the output. Then, the tech may 
want to restart the daemon using the command below. 


service ftpd restart 


If no output is received, then the FTP process closed for 
some reason. To turn it back on, type: 


service ftpd start 


The FTP server should be back online. Now would be a 
good time to investigate what caused the FTP daemon 
to close. To do this, check the logs. The log file for ft- 
pd IS /var/logs/ftpd. This is a plain text file. In a com- 
mand-line, it can be read in one of many ways. The best 
way is to use the 1ess command which allows the user 
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to scroll up and down. To see the last ten lines, use the 
tail command. 


less /var/logs/ftpd 
tail -10 /var/logs/ftpd 


lf the FTP daemon is not starting when the server turns 
on, then the administrator needs to check /etc/rc.conf 
and make sure this line is in the configuration file ftpa _ 
enable="YeES”. If not, then that is why the daemon never 
started; no script told it to start. 

lf for some reason the above still does not help, check 
some of the permission files. Administrators can set up 
which users are allowed or not allowed to access certain 
services. The file /etc/ftpusers lists users that are not 
permitted to access any service or file provided by the 
FTP daemon. If many or all users are listed here, then that 
would explain why no one can access the files. To allow 
everyone to use the FTP services, type: 

NOTE: Remember to keep a backup of the ftpusers file 
by copying it to the root’s home folder or some other des- 
ignated backup location. 
echo “” > /etc/ftpusers 
This will erase the list and allow all users to use the FTP 
server. If there are some users that should not access 
the FTP portion of the server, make a list of the users 
and re-add them to the list using a preferred text editor. 
Many users use Vi or Emacs in the command-line. 

To make sure the BSD server is recognizing all of its 
network devices, type ifconfig and make sure all of the 
Ethernet ports and wireless devices are listed. If any of 
the network devices are missing, then the operating sys- 
tem is missing a driver or that device is physically broken. 


Checking the File System 

If the filesystem goes bad, then the contained data will be 
damaged and lost. Performing a simple restoration from a 
backup cannot be done. Look at the filesystem as a land- 
scape or garden. If the soil becomes rocky and bad for 
the plants, a gardener cannot replant a new plant without 
making the soil healthy. The same goes for a filesystem. 
To check a filesystem for errors, use fsck. 


isck -F urs 
The command will check the UFS filesystem for errors. 
lf an error is found, it may be wise to make an immedi- 


ate backup of important savable files and then reformat 
or replace the hard-drive. Remember, when checking a 
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filesystem using fsck, specify the filesystem type to be 
inspected. Otherwise, the check will not work properly if 
fsck Is checking a UFS filesystem while expecting it to to 
be ZFS. 

Generally, the best way to prevent or ease the repair of 
bad filesystems is to use a RAID system with parity. Then, 
the damaged storage unit can be removed and replaced 
with a new or repaired unit. FreeBSD will then recreate 
the data using the parity system. 


Problems with Finding Problems 
Logs are very useful in solving many problems. However, 
logs may not always be there to help. For instance, if the 
server locks up, syslogd (the process that makes logs) 
will not be able to write the logs. Then when the logs are 
viewed, nothing will be seen for the sequence of events 
that led up to the disaster. 

lf malware erases the hard-drive, no logs will be seen. 
Also, if the hard-drive or filesystem is corrupted, then no 
logs will be seen either. 


GUI 
The default FreeBSD installation lacks a graphical user inter- 
face (GUI). For a server, the administrator must take some 
details into consideration before installing a GUI. A GUI 
would make a system easier to repair and maintain. Howev- 
er, this would make it easier for someone within the compa- 
ny to ruin the server and its data. Also, there would be more 
software that could cause a conflict with existing programs. 
lf for some reason a GUI must be installed on a serv- 
er, it is best to install a graphical user interface with a 
small footprint (uses very little resources). Clearly, KDE, 
GNOME, Mate, Cinnamon, and Unity are not good choic- 
es for desktop environments on a server. Some graphical 
interfaces suitable for a server include Afterstep, Ratpoi- 
son, Enlightenment, Blackbox, Fluxbox, and other similar 
interfaces. XFCE or LXDE may work well on a server, but 
it may be best not to install a desktop interface that large 
on a server. 


NOTE 

At the time of writing, BSD distros have recently started 
using graphical user interfaces. However, they must be 
downloaded, compiled, and installed. BSD systems may 
have problems with some graphical user interfaces. It is 
best to avoid desktop interfaces unless it is absolutely 
necessary. 


Quick Fixes 


lf a server daemon is found to not run on boot-up, of 
course, it needs to be added to /etc/rc. conf. However, 


BSD 


MAGAZINE 


some administrators may not like Vi or Emacs and do not 
have time to install a preferred text editor. Well, there is a 
quick fix. To quickly and easily make a daemon start when 
the system loads up, type the following command: 


echo “apache22 enable=\"YES\"”" >> /etc/re.conf 

lf an entry in /etc/rc.conf Is spelled wrong, it can swift- 
ly be corrected. Assume the above command added the 
misspelled line apachy22 enabled="YES”. Type the below 
command to make the correction. 


cat /etc/rce.conf | sed -i -e ‘s|apachy22|apache22|’ 


The above command will perform a find-and-replace 
in file (changes take place instantly). No regex (wild- 
cards) is used, so the exact string will be matched and 
changed. Unless the administrator is very skilled with 
regex and has thoroughly read the configuration file, 
no one should use regex in such an important system 
file. Otherwise, settings that should be left alone will 
get changed if the tech is not careful. This can cause 
the server problems, and the administrator will have to 
spend time finding and fixing the problem. 


Updating 

Updates can be good for a server, but they can also be 
harmful. Updates may offer bug fixes, new abilities, more 
efficient algorithms, and less resource usage. So, updates 
may help a server’s performance. However, an update 
may contain a bug that the developers did not find. This 
bug may be minor or it could cause the system to be down 
for a while. Generally, it is best to have a “testing server’. 
This server would be exactly like the main server, but the 
testing server has the latest updates. Server administra- 
tors would use such a server to test out new configuration 
settings on services and make sure that updates and new 
software work properly. However, some companies may 
not have the funds to have this testing system. It may also 
help to watch the Internet for reports on major bugs. 

An alternative to a testing server is to have a virtual testing 
server. Install visualization software on a computer/operat- 
ing-system of choice. Then, install BSD and test the newest 
updates and such on this system. This will not be a perfect 
test because the hardware is not the same as the server. 
BSD distros run very well in virtual machines, so no problem 
should exist here. When updating the system, type: 


freebsd-update fetch; freebsd-update install 


This will update the list of available software and then up- 
date the software. You must be root to apply such updates. 
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Log Space 
Over time, logs will consume a lot of space in /var/. To 
reduce the disk usage, remove the logs. This can be done 
in a number of ways. If your company requires the logs 
be stored, then get a USB hard-drive and move the logs 
to the drive. 

On a command-line, you could also run the logrotate 
command. This utility will compress old or large logs and 
give the system new, empty files to start writing more logs. 
To empty a single log, type a command like this: 
echo *” > /var/logs/SOME LOG 
This will empty the log and keep the file without making 
a copy or compressing the file. 

Before removing logs, check for any recent activity that 
should be noted. 


Security 

Viruses and hackers may try to destroy the system from 
the outside, or people physically near the server may 
cause harm. The server must be protected physically and 
at the software and network level. The server and net- 
work system can be secured at various levels in numer- 
OUS ways. 

For physical security, it is best to keep the server room 
locked and (if funding is sufficient) set up security cam- 
eras. Large companies with very important servers may 
want to consider hiring security guards. There are many 
other ways to secure the server physically, but that is be- 
yond the scope of this magazine. 

lf local computers communicate with the server(s) via 
Wifi, the Wifi should use an encrypted signal and (if sup- 
ported by the wifi router) enable MAC address filtering. 

lf a script needs to be added to the /etc/rc™ system, 
thoroughly review the script and only place executables 
here from trusted developers. The rc utility starts scripts 
at boot time, at shutdown, and during other important 
events. If a virus gets installed here, it may be difficult to 
remove it and it can cause a lot of damage. 

To see who has logged in, use the 1ast command. This 
command may produce a long list of entries, so it may be 
better to pipe the output into less. 


last | less 


This command above will also show when the system 
is powered off. This can be helpful when figuring out 
when the system was last powered off. If the system los- 
es power from the power supply, that will not be seen in 
this log. 
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The number one part of security that should not be 
neglected is anti-virus software. A popular open-source 
scanner is ClamAV. Beware though, anti-virus software 
can use up a lot of memory. While scanning, they can 
consume a portion of the CPU resources. Be sure to allow 
the virus scanner to scan the system and get definition up- 
dates after the company’s closing time or during mainte- 
nance time. A script can be made to update the definitions 
and scan the system. Before leaving for the day, execute 
a script with contents like in Listing 1 below (remember to 
use root privileges). Techs may want to read the man pag- 
es for clamav and add the parameters that will best suit the 
system's needs (Listing 1). 


Listing 1. Virus Scanner Script 


in) Sh 


FVM! Scammer Se teiod 


sudo freshclam #Update definitions 
slclo elem 2-ll j/ieorerc een se sill os ee 


shutdown -p now 


Backups 

Sometimes, the server may crash or lose data no matter 
how well it is maintained. To prevent permanent loss of 
data, the storage units should be backed up. Administra- 
tors will need extra storage devices. If the server has ten 
terabytes of data, then the backup storage should be the 
Same amount or more. With the stability of USB devices 
and FreeBSD’s excellent support for such hardware, this 
makes backups easier. 

Plug in a USB external hard-drive. Use your preferred 
backup utility. Once finished, unmount and unplug the 
backup USB device and store it in a secure, dry, safe 
place. It may be best to store the drive in a fire-proof safe. 
Then, if the building or storage room catches on fire, the 
company will still have the data from the last backup. 

Clonezilla is a live Linux disc that can be used like 
Ghost to make an image of the hard-drive to an external 
hard-drive. 

For some, it may be best to only back up /etc/, /home/, 
/coot/, and any other folders that may store important 
files that are needed that cannot be recovered through a 
fresh install. Keep a list or a storage device with all of the 
software installed after the original/last fresh install. Also, 
keep a copy of the installation disc of the preferred BSD 
operating system. Then, if the system must be reinstalled, 
the tech can install the BSD distro, install the applica- 
tions, and then put the data and files back. Remember, 
when doing a fresh install, to reformat the hard-drive(s). 
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The filesystem may not have been formatted in a long 
time and the system crash may have been caused by, or 
caused, corruption of the filesystem. 

lf the system is completely ruined, use the “rescue 
mode” that is on most BSD installation discs. This recov- 
ery utility may help save the system and data. When the 
server boots from the disc, read the menu and press the 
button needed to initiate rescue mode. 

Always make a second separate backup of the com- 
pany’s databases and data. If the company’s data gets 
ruined from a hacker or for whatever reason, this backup 
will be helpful. Saving the company’s data may be more 
important than the server itself, so keep this data safe 
and make back-ups often. If the system is fast enough, 
make a script that will copy the data to an external or re- 
mote storage device during a lunch break or some other 
large break. 


Important Rules 
Here are some very important rules to follow when man- 
aging a server. 


KISS 

Keep It Simple Stupid. Do not write overly complicated 
scripts or use long strings of commands when a short- 
er or more simple script/command can be used. Mak- 
ing scripts/commands more complicated than they really 
should be can increase the chances that a coding mistake 
will be overlooked and do something to ruin the BSD sys- 
tem, especially if the script is executed in Root’s account. 
As another example, if a system needs to be updated only 
for the purpose of getting a new SCSI driver, then down- 
load and install that single driver (if possible) instead of 
updating the whole system. This rule also applies to de- 
ciding whether to install an application. If it is not needed, 
do not install it. Some installed programs can slow down 
the boot-up time. 


NOTE 

The above tip does not mean performing a task the lazy 
way. Perform tasks completely and correctly — just do not 
overdo it. 

Do not use the name Root in vain — If a task can be 
completed on the server (or a workstation) using a regular 
account, do so. Only use Root when absolutely neces- 
sary, or else one accident can cause devastation to the 
server and network. 

Know your BSD distros — Overall, BSD distributions are 
the same as far as file and application locations. Howev- 
er, some may be different or may not support some shell 
commands. Before running certain commands (like xm 
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and mv), make sure the files and directories you plan to 
manipulate exist in the location you are normally famil- 
lar with. Performing an action in the wrong directory can 
cause confusion when the system does not perform the 
actions it is assumed to complete. 

If it is not broken, do not fix it — If an upgrade is not 
needed, then do not do it. Updating, editing, and replac- 
ing hardware can cause issues. It would be a waste of re- 
sources to do so on a system that does not need it when 
the system later has issues from an unneeded “fix”. For 
illustration, assume Bill upgrades the BSD operating sys- 
tem without a specific need. Before, everything ran well 
but now, there is some system conflict with the new sys- 
tem. The conflict could have been avoided if Bill had not 
upgraded the system. When a system needs a repair or 
update, then the potential risks and problems that may re- 
sult from upgrading and repairing will be more worthwhile. 


Certification Prep 

For those of you wanting to get your BSD and/or LPI cer- 
tifications, you must understand all of the server daemons 
and configuration files. You must thoroughly understand 
the great importance of system backups and how they are 
performed. Learning the location of important system and 
server logs will also help those wanting to earn such cer- 
tifications. Obtaining these certifications will help admins 
get better jobs. Studying for such certifications will also 
give admins the knowledge they must have to sufficiently 
manage servers. 


DEVYN COLLIER JOHNSON 

Devyn Collier Johnson DevynCJohnson@Gmail.com has written many 
articles for Linux.org, wrote one article for the Full Circle Magazine on 
Clementine, and was the technical editor for McGraw Hill’s book Epub: 
From the Ground Up. The author has some experience and certifica- 
tions in Linux/Unix systems. More about the author can be found here: 
https://launchpad.net/~devyncjohnson-d 


Feel free to contact the author via email, Launchpad, Linux.org, or 
Google+ for questions or article requests. 
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Re-purposing an 
Abandoned Mac Mint 


as a Wireless Router with OpenBSD 


Don't let thousands of dollars worth of hardware that 
has been abandoned by Apple rot with old, unsupported 
software. Bring it into the present with OpenBSD. 


What you will learn... 
« How to work with OpenFirmware to install BSD 
¢ Configuring a Mac Mini to work as a wireless router 


ing their systems from PowerPC processors to Intel 

x86-based processors. Apple started offering these Intel 
models in January of 2006, and it was only a matter of time 
until the millions of PowerPC Macs in use were obsolete. 

In August of 2009, Apple released Snow Leopard, OSX 
10.6, their first Intel-only operating system. Their last Pow- 
erPC OS, 10.5 Leopard, was released in October 2007, 
and the last security fix for Leopard was released in May 
2012. Adding insult to injury, that fix was Intel-only [1]. 

Many Mac users are therefore left with perfectly capable 
systems that in some cases cost them thousands of dol- 
lars, and they are unsatisfied running an outdated, inse- 
cure OS on them. PowerPC is currently a supported plat- 
form on OpenBSD [2] (it is also supported on NetBSD [3] 
and FreeBSD [4], but as a Tier 2 platform — which means 
that they are not fully supported), so | have chosen it to 
give new life to my PowerPC Mac. 


n June 2005, Apple announced that it would be switch- 


Preparation 

It is essential that the driver for the wireless adapter you 
intend to use for your router can operate in hostap mode, 
which means it can act as an access point (or base sta- 
tion) for other cards. As almost all models of Apple Air- 
port wireless cards do not support HostAP mode, | am 
using an USB adapter for the LAN facing the wireless 
interface. There are not many USB adapters currently 
available that support hostap mode in OpenBSD, so it 
is very important to pick one with a chipset that uses the 
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What you should know... 
¢ Basic BSD concepts 
¢ Basic networking concepts 


athn (4), ural (4) Of rum(4) drivers [5]. For the example, | 
am using a TP-LINK TL-WN722N, which | picked up lo- 
cally for $15 USD. 


Booting from CD 

New World Macs use a boot system called OpenFirm- 
ware. OpenFirmware was originally developed by Sun 
Microsystems and is used in a variety of PowerPC sys- 
tems from various manufacturers. It serves essentially the 
same purpose as the BIOS found in older PCs or the EFI 
found in newer Macs and PCs. 

In order to be able to install OpenBSD on our Mac, we 
will need to access the OpenFirmware prompt. When 
booting, hold down option-command-o-£ (or, on a non-Mac 
keyboard, meta-alt-o-f) and you will be brought to the 
OpenFirmware command line (Listing 1). 

At the prompt, with the OpenBSD disk in the CD drive, 
assuming you are using version 5.3, type: 


boot cd:,ofwboot 5.3/macppc/bsd.rd 


This command tells the system to boot from the CD drive 
a file called ofwboot, the OpenBSD bootstrap program, 
in the root directory of the CD. Before the comma would 
typically come the partition number youd like to boot to, 
but it is not applicable in the case of a CD. You are then 
passing to the ofwboot program the location of the BSD 
compressed RAMDISK kernel which contains an em- 
bedded filesystem with the installation tools. 
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Installing OpenBSD 
Once the system has been booted, install OpenBSD as 
desired. If you have no intention of dual-booting with 
Mac OS X, choose an MBR partition map as then the 
bootstrap program will be installed automatically during 
installation, whereas for HFS disks ofwboot must be in- 
stalled manually. 

You can choose to configure the internal Ethernet de- 
vice (gem0) during the installation or afterward. 


Setting “Autoboot” 

After installation, the system must be configured to auto- 
matically boot to our new OpenBSD installation. Boot the 
system to the OpenFirmware prompt once again and en- 
ter the following: 


setenv auto-boot? True 
setenv boot-device hd:,ofwboot 


reset-all 


We are telling OpenFirmware to automatically boot our 
system using the ofwboot bootstrap file on our hard 
drive, and telling it to save these changes into NVRAM 
with the reset-all command. 


Enabling the Wireless Adapter 

Once the newly installed system has booted, we will con- 
figure our wireless adapter. Assuming that the firmware 
has loaded correctly, you should see your adapter in the 
list when executing ifconfig. The adapter I’m using for 


this example uses the Atheros chipset and thus shows up You can talk the talk. 

as athno. Io set up a simple access point with basic WPA Can you walk the walk? 

security, we would enter the following: 

# ifconfig athnO inet 172.16.0.1 netmask 255.255.255.0 [ ITS IN YOUR DNA ] 
media autoselect \ LEARN: 

mediaopt hostap nwid miniwifi woakey abcd1234 chan 1 up Advancing Computer Science 

Artificial Lite Programming 
We have now assigned our wireless adapter the IP ad- ie i 
dress 172.16.0.1, set the hostap mode option, allowing Enterprise Software Development 


our adapter to act as an access point, set the network Game Art and Animation 
ID to miniwifi, configured WPA with an example pass- Game Design 


h f 7 tt h Game Programming 
phrase of abcd1234 (you will want to use one much more Human-Computer Interaction 


secure) and brought the adapter up on channel 1. Network Engineering 

Network Security 
. 5 Open Source Technologies 

Configuring the Router Robotics and Embedded Systems 

Next, we are going to configure the system to allow rout- Serious Game and Simulation 

ing network traffic through it. Configure IPv4 traffic to be Strategic Technology Development 

forwarded between our interfaces: Technology Forensics — 
Technology Product Design 
Technology Studies 

sysctl net.inet.ip.forwarding=1 Virtual Modeling and Design 


Web and Social Media Technologies 
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Listing 1. OpenFirmware command line 


Welcome to OpenFirmware 


To continue booting, type “mac-boot” and press return. 


To shut down, type “shut-down” and press return. 


Release keys to continue! 


Ok 
0 > 


Listing 2. dhcpd.conf 
option domain-name “mini.mac” 
option domain-name-servers 208.67.222.222, 


Oj soy 20 220i, 


Subnet i erlo. Or Oine milas ee Sie oo oo et 
Operon rourers 1/2716.0.1; 


ange 1i2. WoO 2 OOF) 26 CoO Esl 


Listing 3. pf.conf 

##Macros to simplify when we add more complex rules 
Ihencie 1 

wired = “gemQ” 

wireless = “athn0Q” 

UCN weyeese = eChOMege Ulreach 5) — 


#Configure statistic logging for our wireless interface 
set loginterface Swireless 

#Allow lo0 to talk unrestricted 

set skip on 100 


#Scrub incoming packets 


match in all scrub (no-df) 


#NAT for wireless clients 
match out on egress from !(egress:network) to any 


nat-to (egress:0) 


#Block all by default 

Isdloele koe, ell! 

#Let some traffic in 

Pass In mer proto { eco ude j= all 


Pass 10) ince proro temp alle icmp vype slemp eypes 
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This can be made persistent by uncommenting the ap- 
propriate line from /etc/sysctl.conf. 

Next we will configure dhcpd. | set up a very simple dh- 
cpd.conf to start: Listing 2. 

With this configuration file, clients are served the inter- 
nal domain name, mini.mac, and available DNS servers. 
In this case we're using openpns, the network's subnet and 
its netmask, the default gateway, set to the address we 
assigned to our wireless adapter. | then set the range of 
addresses to be assigned to 1/72.16.0.100-150. 

Next, to insure that dhcpd will start at boot, add the fol- 
lowing line to your /etc/rc.conf.local: 


dhcpd flags=""; 
Restart dhcpd to make our changes take effect: 
# /etc/rc.d/dhcpd restart 


Configuring PF 

The last thing we need to do for our simple router is to 

configure PF. We will create a very basic configuration 

NATing our internal addresses to the internet, allowing 

outbound traffic and some inbound traffic (Listing 3). 
Lastly, we need to reload the modified PF configuration: 


# pietl =f /etc/pf.cont 


Conclusion 

You now have a perfectly good wireless router instead of 
an expensive doorstop. At this point, the router is very ba- 
sic — the best next step would be to expand your PF rules 
to make it as useful and secure as possible. Also, you 
could continue configuring your own DNS server, install- 
ing Squid, or just about anything else that would be useful 
for your particular environment. 


PATRICK ALLEN 


Patrick Allen has been passionate about computers since he first sat 
down in front of his Commodore 64 many, many years ago. He lives in 
Colorado, USA with his wife and children. 
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Monit 


Monitoring solution for enterprise and SOHO servers with 


FreeBSD 


The state of the network services offered by a company is 
the business card with which it presents itself to the world. 
Thanks to constant monitoring, it is possible to understand 
how and where to improve the infrastructure of the network 
in real time and detect any abnormalities. 


What you will learn... 
¢ In this paper we will learn to setup and manage a Monitoring 
server based on monit. 


onit is software that should not be missing in the 
\/ kit of a network administrator as it automatical- 
ly controls and manages the applications on the 
server side in order to ensure that they are consistently 
active, for example, by testing the size of the files and 
permissions. In particular, Monit provides system admin- 
istrators with an excellent control tool also equipped with 
a web interface. This allows you to manage the state of 
the system and processes using either a standard web 
browser or from the command line. 
In this article, we will carry out the monitoring of a web 
server like Apache or Nginx with MySQL, SSH, and cron. 


Installing a FAMP Environment: the easy way 

This section describes how to set up Apache, MySQL, PHP 

and phpMyAdmin on a server running FreeBSD. The arti- 

cle was written for the software versions below but is likely 

to work on newer versions without too much difficulty. 
Installing MySQL: 


cd /usr/ports/databases/mysgql55-server 
make BUILD OPTIMIZED=yes BUILD STATIC=yes 


make install clean 
Open /etc/rc.conf with your favourite text editor and add 


the line shown below. This will ensure mysql is enabled 
and starts on boot. 
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What you should know... 
¢ Basics about how network services work and basic BSD 
networking setup. 


mysql enable="YES” 


Start mysql manually to avoid having to reboot now by 
typing: 


/usr/local/etc/rce.d/mysql-server start 


Set a password for the MySQL root user by executing 
the command, substituting your own password in place 
of new-password: 


/usr/local/bin/mysqladmin -uroot 


password ‘new-password’ 
And now MySQL is installed. Let’s start to install Apache. 


cd /usr/ports/www/apache22 


make install clean 
It’s a good idea to disable the two DAV options, if you 
don't need them, when prompted. 

Open /etc/rc.conf with your favourite text editor and 
add this line shown below to start Apache on boot. 


apache22 enable="YES” 


Installing PHP 
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ed: /usr/ports/ bang/pnp5 


make install clean 


It’s very important to verify that the APACHE (Build 
Apache module) option is ticked and leave all other op- 
tions as default before selecting OK. 


cd /usr/ports/lang/php5-extentions 


make install clean 
Install the php.ini file: 
cp /usr/local/etc/php.ini-dist /usr/local/etc/php.ini 


Edit the Apache configuration file /usr/local/etc/ 
apache22/httpd.conf by adding the following lines: 


AddType application/x-httpd-php .php 
AddType application/x-httpd-php-source .phps 


Change the line: DirectoryIndex index.html ...to 
DirectoryIndex index.php index.html ... 

Enable language settings by searching for the line: 
#Include etc/apache22/extra/httpd-languages.conf 

and removing the # comment mark so it reads: 

Include etc/apache22/extra/httpd-languages.conf 

Edit the language settings file (/usr/local/etc/apache22/ 
extra/httpd-languages.conf) and add the following line 
at the end of the file: 

AddDefaultCharset On 

Start Apache using the startup script: 


/usr/local/etc/re.d/apache22 start 


And you’re done! Apache with PHP and MySQL 
are installed. 


After the FAMP environment, let’s install Monit 
Installing Monit is really very simple. On Free / Open 
BSD, just log on to the terminal with administrator rights 
and type: 


# pkg add -r -v monit 
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To verify that the installation is successful, at the termi- 
nal simply, run the command: 


# monit status 


which should return the statistics for general use of 
the system. 


A simple configuration 

It’s really easy to create effective monitoring systems with 
the use of Monit. By default, it checks every two minutes if 
a service is active and stores the information in the log file 
/var/log/monit.log. 

However, it is possible to change any of the settings by 
going to correctly fill in the fields in the main configuration 
file, respectively /etc/monit/monitrc in Debian based dis- 
tributions and /usr/local/etc/monitre on FreeBSD. 

Monit natively provides a web server that responds 
on port 2812. To enable it properly, just edit the con- 
figuration file and restart the service with a “monit re- 
load” from a terminal as root. Below is a simple example 
that allows access to the server from the local network 
192.168.200.50 192.168.200.0/24 with username “ad- 
min” and password “monit”. 


set httpd port 2812 
use address 192.168.200.50 
allow 0.020.070.0200 
allow admin:monit 


allow @monit 


allow @users readonly 


Figure 1. Monit, services console monitoring 
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The last two lines indicate that the users of the group 
“monit” have full read/write access to the system, while 
users of the “users” group have read-only access. 

Now, with the browser on the IP or domain name of the 
server and logging in with the credentials created before, 
you will see a screen like this (If one wants to enable SSL 
access, one must create an ad hoc certificate) (Figure 1). 

The simplest configuration that can be set relates to the 
monitoring of the services running on the server itself. In 
fact, by properly editing the /usr/local/etc/monitre, one 
can be sure to keep them always “up”. If the services ac- 
tive are Apache, MySQL and Nginx, they would be au- 
tomatically tracked and restarted in case of block, and it 
would be possible to check the status from both the web 
interface and text-based interface (Listing 1). 

To check the correct syntax of the configuration file sim- 
ply run the command: 


monit -t 


Once the output of the command returns “Control file syn- 
tax OK”, the system is set up and ready to manage net- 
work services. To enable all tracking systems, simply run: 


monit start all 


In the heart of Monit configuration file 
An entry for the control of a generic process in the file 
/usr/local/etc/monitrc has the following 

syntax: 


check process PROCESSNAME 
with pidfile PIDFILENAME-WITHABSOLUTE- PATH 
Start — oTARTUP-SCRIPT 
SLOp = SLOP=sCRLPI 


This item, in particular, checks the status of the local 
server cron daemon: 


check process crond 
with pidfile /var/run/crond.pid 
start = “/éetc/init.d/crom etart” 


stop: =» "/eré/init.d/eron stop” 


However, it is always possible to refer to the monit man 
page to get the complete set of instructions and options 
to best configure the control system. There are two op- 
tions you should activate in any case, and that is the 
logging system in the file /usr/local/etc/monitre (In 
this case, everything is branded on the general system 
log file): 
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set logfile syslog facility log daemon 


and automatically start monit as a system daemon, 
which is accomplished by editing the file /etc/rc.conf 
and adding the item: 


monit enable="YES” 


Enabling monit as a system service (with updates 
every minute): 


set daemon 60 


A further change to the configuration of the logging via 
syslog lets you use a dedicated file for easier manage- 
ment of alerts: 


set logfile syslog facility log daemon 
set logfile /var/log/monit.log 


Configure your email server to send email notification: 


Listing 1. /usr/local/etc/monitrc 


## Apache: 
check process apache with pidfile /var/run/httpd.pid 
Stare program = “/usr/locall/etcy rc ed/apache22 
start” with timeout 60 seconds 


stop program = “/usr/local/etc/rce.d/apache22 stop” 


## MySQL 
check process mysqld with pidfile /var/run/ 
mysqld/”S{hostname -f}”.pid 

start program = “/usr/local/etc/rce.d/mysql-server start” 
stop program = “/usr/local/etc/rc.d/mysql-server stop” 

## Nginx 

check process nginx with pidfile /var/run/nginx.pid 
Suan rogteama= "/ Wen loeal/euc/ Le.) idinx stark” 


AN 


StOpepredrame={ /Usr/ Toca src) rend nginx SLop 


Listing 2. Example of Apache service management 


check process httpd with pidfile /var/run/httpd.pid 
group www 
start program = “/usr/local/etc/rce.d/apache22 


with timeout 60 seconds 


1 // 


Start 


AN 


stop program = “/usr/local/etc/rce.d/apache22 stop 


WT 


If favled host 1277000 .1 pert 80 protocol http then restart 


if 5 restarts within 5 cycles then timeout 
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set mailserver mail.yourmailserver.tld 

Set email format such as from email 

set mail-format { from: monit@yourmailserver.tld 
subject: SSERVICE SEVENT at SDATE 

message: Monit SACTION SSE 

VICE at SDATE on SHOST: SDESCRIPTION. 

} 


Example of Apache service management: Listing 2. 
Entries in a control call are: 


¢ check process httpd with pidfile /var/run/httpd.pid: 
You specify the pid file httpd.pid and its “daemon 
name” 

¢ group www: We specify the www group, with permis- 
sions for startup / shutdown of the service. 

¢ start program = ‘“/usr/local/etc/rc.d/apache22 start”: 
Startup script. 

¢ stop program = ‘“/usr/local/etc/rc.d/apache22 stop”: 
Shutdown script. 

¢ if failed host 127.0.0.1 port 80: Server IP address and 
listening port (80). 

¢ protocol http then restart: The web server restarts if it 
is not possible to reach the IP and port specified. 

¢ jf 5 restarts within 5 cycles then timeout: Five at- 
tempts to restart have been made. If monit can not 
run, it takes the timeout condition. 


Below is an example of service management MySQL 
and ssh on the local server: Listing 3. 

To start and test monit, the easiest method is to “kill a 
process’; the daemon will restart and the system log will 
store the event. Monit will trace the status of cron as “in- 
active’ and will start the next operation without requiring 
intervention by a system administrator. 

Taking a look at the log file, we can verify that cron was 
revived by monit after being “killed” as shown in Figure 2. 


The whole server room in a click 

The web server integrated in Monit provides different lev- 
els of access: simple (no control over the LAN IP and no 
request for username / password), and standard (request- 
ed username / password and a block of IP addresses from 
which you can access). You can optionally integrate an 
SSL certificate (Figure 4). 

Once logged in, we see a Summary screen with the sta- 
tus of the servers and services running on it. Clicking on 
the individual links will access details of all the data of in- 
terest (Figure 5). 

From this screen, you can see the detail of the data to 
the server, enable and disable the monitoring real time, 
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discover in addition to the system load average, even the 
CPU, RAM and SWAP, and get to know when the data 
was collected, perhaps for statistical purposes (Figure 6). 
This screen allows you to check, in one fell swoop, all 
the details of each service user group by pid to the pro- 
cess owner. You can also start / stop / restart the service 
itself and enable / disable the monitoring in addition to the 
usual data, including pid and CPU and RAM usage. 


Figure 2. Monit, service cron restart 


P Aatentitaricas rit hewn 
Un Aes here muna Radi d dene chat eA da 
http: )/)192. 6 LS. sin riportac “moni 


Annuia || 


Figure 3. Monit, ACCESS TO THE SYSTEM BY WEB 
Herne > Ue MMGA to hcrkiege all poor Moni inakanoee Mist £8 


Monit Service Manager 


Wort it Eunring on ined bieining Sy wit untied ard mooring 


System Status Losd CPU hihemory Swag 
(LOS) (0.90) oy Gs ee ely Cuts 10 el} 
Promeas Hlatua peli Menncey Total 
BSS 1700 iB] 
Fa [1 S880 kB] 
14.2% [EGE ie 

OUSS6 [1400 ic] 


fiti | =r oP ri oa. 
md Anni th Sen Ch 
tied bnnryg th 3m Cs 
ond Aur Fi] oo 


Figure 4. Monit, AGENERAL OVERVIEW 


Listing 3. Example of service management MySQL and ssh on 
the local server 


check process mysqld with pidfile /var/run/ 
mysqld/”S{hostname -f}”.pid 
Group my sail 
start program = “/usr/local/etc/rc.d/mysql-server start” 
stop program = “/usr/local/etc/rc.d/mysql-server stop” 
tf failed Host 127.000. 1 port 3306 then restart 


if 5 restarts within 5 cycles then timeout 


check process sshd with pidfile /var/run/sshd.pid 
Stabin pkegtan eve) mewc) sod crack” 
StOp program T/etc, reno) cane stop” 
Vf tailed nose 1277070 sl icort 22 proeocol sche Enen restane 


if 5 restarts within 5 cycles then timeout 
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288) one - Administer Vsftpd with Monit - an example of 
= missing pidfile 

Some services, such as the well-known server Vsftpd, do 

not lean against the “pidfile” to interact with the system, 


Ang > feortioringsry Lise Bi Moni] io muinage al your Monit notences 


System status 


Para Wala 


— teacnortorigr and it is then complex to manage them with monit. More- 
a aay over, services are so widespread that a solution, even if 
en ee partial, can be very convenient. The following link may 
— ta provide cues suitable to solve the problem which is be- 
ee ae yond the scope of this article (http://serverfault.com/ques- 


tions/270316/monit-check-process-without-pidfile). 


Dube mestinering 


; ; check process vsftpd 
Figure 5. Monit, BEFORE THE SERVER . 
matching vsftpd 


—— start program = “/etc/init.d/vsftpd start” 
= —— stop program = “/etc/init.d/vsftpd stop” 
oma ‘aeons tts Finally we must add the library of pre-configured vsftpd 
— a to the monit control file and then restart the service for 
— an wean TT the changes to take effect. 
oa +08 tne Advanced Configurations from the heart of the 
a aaa server rooms 
- 2 anna Below here is a small library of configurations to be added 


to your monitoring system. In particular, they refer to the 
location of the pidfile and the methods to start / stop the 
services (Listing 4). 

Of course, there are many other services that can be 
monitored with this tool, but this base should be sufficient 
to take the first steps. From this point on, you're only lim- 
ited by your imagination (Figure 7). 


Figure 6. Monit, THEN SERVICES 
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Figure 7. Monit, extract of a production server monitrc file linux.com/) and Linux Magazine (http:/www.linuxmagazine.it/). 
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Listing 4. Advanced Configurations from the heart of the server 
rooms 


## Syslogd (system logfile daemon) 
check process syslogd with pidfile /var/run/syslogd.pid 
Stari npredram i= / ee, eee) syokloddistacn 
stop program = “/etc/rc.d/sysklogd stop” 
if 5 restarts within 5 cycles then timeout 
check file syslogd file with path /var/log/syslog 
if timestamp > 65 minutes then alert 
## Net-SNMP (SNMP agent) 
check process snmpd with pidfile /var/run/snmpd.pid 
Stare Program = /usir/ local/etc, re.d/snmpd si start” 
sLOO PLOogeam =  / usr, locally etc/reld/simpdach Stop” 
te fatlec hese 192 hos lol pore tol type udp tien 
ec baat 
Lf faricc nose 192 6s ll pore too typo tem chien 
IME NSHE(CIIG |e 
if 5 restarts within 5 cycles then timeout 
## NTP (time server) 
check process ntpd with pidfile /var/run/ntpd.pid 
Start pkogram = “/ete/revd/nipd start 
stop program = “/etc/rc.d/ntpd stop” 


1f farlica Nose 127 0202 pore W235 tvyoe udp ten salen: 


if 5 restarts within 5 cycles then timeout 


iH Bind (Chroored) 
check process named with pidfile /var/named/chroot/var/ 
run/named/named.pid 
start program = “/etc/rc.d/named start” 
stop program = “/etc/rc.d/named stop” 
Tf farlicd nose U2) 20.0 pore 55 ype ECO proroce | 
dns then alert 
Lf orarlccm nec, U7 Ue 0 iy powin 55) pe. Udo prenoce | 
dns then alert 


if 5 restarts within 5 cycles then timeout 


ii CCuUlc. (hitte, Pep proxy) 
check process squid with pidfile /usr/local/squid/logs/ 
SOuldeore 
group www 


Start program = “/list/ locel/etc, re. d/ squid stent” 


stop program = “/usr/local/etc/re.d/squid stop” 
1 fatled Nose 190 los. t ieorte 31265 then restare 
if 5 restarts within 5 cycles then timeout 

deeends ene saute oun 


depends on squid re 


check file squid bin with path /usr/local/bin/squid 
group www 
if failed checksum then unmonitor 
if failed permission 755 then unmonitor 


Z£ farled Wid foot then unmonitor 


if failed gid root then unmonitor 
check file squid_rc with path /usr/local/etc/rc.d/squid 
group www 
if failed checksum then unmonitor 
if tailed permission (55 Unen unmoeni vor 


1f failed uid root then unmonitor 


if failed gid root then unmonitor 


## Postfix (mail server) 


check process postfix with pidfile /var/spool/postfix/pid/ 


master.pid 
group mail 
Stave PeoOgtane— )y Usem/ MOcaly Gee) te. c/postix stare” 
StOe programm =  /Ust llocall/enc, he, d/ posix stop” 
tf tailed Pore 25 Procvocol site then restart 
if 5 restarts within 5 cycles then timeout 
depends on) postmx re 
check file postfix rc with path /usr/local/etc/rc.d/ 
POs Ellx 
GeOup man 
if failed checksum then unmonitor 
if failed permission 755 then unmonitor 


1f failed uid root then unmonitor 


tf tatled gid) Toor Een Unmontror 
## Dovecot (imap secure server) 
check process dovecot with pidfile /var/run/dovecot/ 
master.pid 
start program = “/usr/local/etc/rce.d/dovecot start” 
stop program = “/usr/local/etc/rc.d/dovecot stop” 
Group marl 
if failed host mail.yourdomain.tld port 993 type 
RCO Selec ceouoeOl aineie sels 5 
cycles then restart 
if 3 restarts within 5 cycles then timeout 
depends dovecor.unt 
Cepends  Oveecun oun 
check file dovecot_ init with path /usr/local/etc/rc.d/ 
dovecot 
group mail 
check file dovecot bin with path /usr/sbin/dovecot 


group mail 
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ADMIN 


FreeBSD Programming 


Primer — Part 8 


In the eighth part of our series on programming, we will refine our 
Jquery menu and start building a user friendly interface to add 


content. 


What you will learn... 
« How to configure a development environment and write HTML, 
CSS, PHP and SQL code 


What you should know... 


¢ BSD and general PC administration skills 


the Jquery library. Looking at menu.inc, we see the 
menu is “hard coded” with a top level menu Home, and 
sub menu’s Pages, News and FAQ’s. To make our CMS 
user friendly, ideally we would store the menu values in a 
database table that we could access and amend from a 
web form (Listing 1 and Figure 1). 
Rather than building a custom page for each table, it 
would be good practice to design a set of global functions 
(e.g. sign on, retrieve fields, save fields etc.) and design a 


| n the previous article, we implemented a menu using 


FreeBSD. 


Home Papes 


Page HeadeRas 


My first page FAQ'S 


Lorem ipsum dolor sit amet, consectetur adipiscing elit. Mauris interdum auctor tellus sed dignissim. 


Phazellus mon orci massa, mec feug at sem. Westibulum molestie interdum bibendum. Nunc gus eh 
nulla, sit amet rutrum jorem, Quisque odio est, sagitlis nec accumsan ul, placeral sit amet lectus, 
Curabitur aliquam dignissim felis, a malesuada leo fringilla at. Sed ornare abquet lacus, quis imperdiet 
augue mattis eu, Nulla porta odio ut erat consectetur al molestie justo suscpil, Aenean convallis 


pallentesque nisl, vilae posuere mauris facilisis vitae, Morbe in tellus msl, vel facilisis diam, 


Figure 1. Original Jquery menu 


BSD 


MAGAZINE 


28 


template that we could change on a per table / form basis. 
We could then quickly build forms to modify each type of 
content. We also need to tweak the CSS for our dropdown 
menu. At the moment with the default CSS, the menu is 
floating to the left hand side. We will modify this to accom- 
modate a wider menu with more options. 


Step 1 

For the initial testing, we will hand code a menu in menu. 
inc and add a few placeholders. Once we are happy with 
the CSS, we will then add this to a database table and 
add our forms. In the next article, we will write the code 
to extract the menu values and fire them into Jquery. 


Listing 1. menu.inc 


<ul id="menu”> 

<li> 

<a href="/">Home</a> 

<ul> 

<li><a href="/page/1”>Pages</a></1li> 
<li><a href="/news/1”>News</a></1i> 

<li><a href="/faq/1”>FAQ’ s</a></1i> 

</ul> 

</li> 

</ul> 
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FreeBSD, 


Hone Pages News FAs Login 


Figure 2. Jquery menu horizontal 


FreeBSD. 


Home Page: Page 1 Fas Login 
My second page Page 2 
Ht 
Be Page 3 
é 


Figure 3. Jquery menu with drop down menu 


Listing 2. Replacement Jquery menu 


<div id="jquerymenu”> 

<ul id="top-menu-home”> 
<li><a href="/”"”>Home</a></1i> 
</ul> 


<ul id="top-menu-pages”> 
<li><a href="”">Pages</a> 
<ul> 
<li><a href="/page/1”>Page 1</a></li> 
<li><a href="/page/2”>Page 2</a></li> 
<li><a href="/page/3”>Page 3</a></li> 
</ul> 
</li> 
</ol> 


<ul id="top-menu-news”> 
<li><a href="">News</a> 
<ul> 
<li><a href="/news/1”>News 1</a></1i> 
<li><a href="/news/2”>News 2</a></1i> 
<li><a href="/news/3”">News 3</a></1li> 
</ul> 
</li> 
</ul> 


<ul id="top-menu-faq”> 
<li><a href="">FAQ’ s</a> 
<ul> 
<li><a href="/fag/1”>FAQ 1</a></1li> 
<li><a href="/fag/2”>FAQ 2</a></1li> 
<li><a href="/fag/3”>FAQ 3</a></1li> 
</ul> 
</li> 
</ul> 


<ul id="top-menu-user”> 

<li><a href=”"/login.php”>Login</a></1i> 
</ul> 
</div> 


Listing 3. preload.js 


function globalmenu() { 


S(funcrvon() {S{ “Fteo-menu—home” )-menu() -})-> 


S(function() {$( “#top-menu-pages” ).menu();}); 


S(funcevon() {5 “Ftlop-menu—-news” )smenu():}); 


S(tunctivon() {S{ “Frop-menu—fag” ) smenu());}); 


sltunction() {S{ “#top-menu-—user”™ 


).menu();}); 


Listing 4. global.css 

#jquerymenu { 
border: lpx solid #DADADA; 
iinewateslignlorore coils  IQjen< 
height: 48px; 
padding: Spx; 


background-color: #e8e7cf; 


.ui-menu{ 


float: leit: 
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Listing 5. create the menus table 


CREATE TABLE “menus” ( 
‘id int(11) NOT NULL AUTO INCREMENT, 
[Groupe Svensenad (7) eNO le NUN 
“menutitle  varchar(12) NOT NULL, 
“titleurl*® varchar(12) DEFAULT NULL, 
~submenutitle* varchar(50) DEFAULT NULL, 
“submenutitleurl* varchar(50) DEFAULT NULL, 
“order int (2) NOr NULL DEFAULT “07, 
“enabled” int(1) NOT NULL DEFAULT ‘1’, 
“timestamp timestamp NOT NULL DEFAULT CURRENT _ 

TIMESTAMP, 

PRIMARY KEY (‘id*) 

) ENGINE=InnoDB DEFAULT CHARSET=latinl; 


Listing 6. populate the menus table 
LSE RE LO Mento (dF chev menUi ee) aertle ial > 
~submenutitle’, 
*submenutitleurl’,° order’, enabled’, timestamp’) VALUES 
(lL jquerymenu’ ,’ Home’ ,’/* ,NULE NULL, L,Y, 2013-09-02 
dr ent OOo a8 ae 
(2,7 jquerymenu"’ 77 Pages” ,NULE, NULL, NULE 2,7 2013-09-02 
Nhe Genoa lar 
(3) quer ymenu. Pages’ NULL “Page: ly 7777, 
cage hs le 20s OO SO” ail Ges )e 
(4,’jquerymenu’ ,’ Pages’ ,NULL,’ Page 2’,’/ 
Wade) 2 cy Us 00602 alee) 
(5,’jquerymenu’ ,’ Pages’ ,NULL,’ Page 3’,’/ 
badges 72, 0), 20-09-02. ie oe 007 


Listing 7. amendcontentpage.php 
<7 No 


require once ‘includes/cms.inc’; 
require INCLUDES . ‘content.inc’; 
require INCLUDES . ‘core.inc’; 
require INCLUDES . ‘html.inc’; 


require INCLUDES . ‘mysql.inc’; 


// SOl Statements 


9sql1[0] = “SELECT COUNT (DISTINCT TABLE NAME) FROM 
INFORMATION SCHEMA.COLUMNS 
WHERE Gable scheme = “freebsdems’ 
PNNIDIS STASI INE et ae) ee 
coq t=— sale: 


TABLE NAME, COLUMN NAME,COLUMN DEFAULT, IS _ 


NULLABLE, DATA TYPE, 
CHARACTER MAXIMUM LENGTH 


ROM INFORMATION SCHEMA .COLUMNS 
HERE Cable schema = “freebsdcms’ 


it 

W 

AND SEAS NAVE = == SPSS 

ORDER BY tablelnane, sordinalyeosittion  ; 


ji) Was ealolkuss ve vii ellibony, wae wees ie) exchic vile) “elas 


form 
Stables[] = “faqs”; 
Stables | — “menus” 
Stables[] = “news”; 
Stables[] = “pages”; 


// Fields that are automatically assigned via a default 
value in MySQL table 
7) scetinat avon 


Sskuplist |) <= “ide: 
Sskiplist[] = “timestamp”; 


I VA OE UA eM RI ay 
EAA TAS A IATA IAI ATES TELE SA TATE IA AA TAI DS TE Vd ay 
ETI IAG ICIED TEI HS TICS EURASIA TE Ica Ile AGI TO Ie I ACE Rit (a 
// Build the page up to the body tag 

outfile (TEMPLATES . ‘header.inc’); 

echo wraptag(‘title’, ‘Content Input’); 

echo HEAD; 

echo BODY; 

// Page controls Logie 


TEISSeu(o PCat | eable Vy 


// User has not selected a table or we are testing 


their result 


De ebOoE) table |; 


if (limvarray(ct, stables) | 


// Wk the table as not om allowed Ist, baal to 
the first page 


bile pageon ical les). 


}else { 
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// Check selected table is valid 
ss. =. Ssql 0); 
// Replace the marker in the SQL statement with 
the chosen value 
Si Site taejollcycte) (oi Te Ste sn) 4 
suceetlle = imytiedl selec (sey) 3 
-Velil tables COune = sreoule| COUNT (DISTINGT 
TABLE NAME) al 
Hf (Svalid table count =— 1) { 
// Valid table selected - present form to 
edit data 
bulIdyeagerZ (2a, sdb skip lis «), 


}else{ 


// Send user to first page 
leiOuLILel joeleje) IS cele lise) 


jelseif (isset($ POST[“update”])) { 


// Save the input. As we have not validated this, 


just display for now 


loulmibel foes 8 (5 IPOS") 


}else { 


i) Loavealia valiies— =renubhn wo stare 


buridseagewi cables 


ree ee eee, 
(I a Ga ae ae eG aaa ies aa ar 
OI IT TG II La ey 


function build page 1(Stables) { 


(7 Mie nonin Gein) elon 


echo ‘<div id="content”>’; 

echo ‘<div id="php”>’; 

echo ‘<div id="hl’>1: Select content</div>’; 

echo ‘<form action="amendcontent.php” method="post”>’; 


echo ‘<select name="table”>’; 


foreach (Stables as St) { 


// Stables is an array - split each value out 


echo <option value=" ot. Sok = option = 


jy Kinish form and. add. .ooter 


echo ‘</select>’; 

echo ‘<input type="submit” value="Select content to 
edit’>’; 

echo ‘</form>’; 

echo ‘</div></div>’; 

echo ‘<div id="licence”>’; 

echo ‘<a href="licence.txt” title="Copyright and licence 
details”>Copyright &copy; 2013 Rob 
Somerville me@merville.co.uk</a>’ ; 


echo ‘</div>’; 


sUlelenerlreyo! Ioialiel jeeieie 4 (Sic, Ssell e Siejo Lbeie)| 7| 


// HTML form 


echo ‘<div id="content”>’; 

echo ‘<div id="php”>’; 

echo “<div ad="hl”’>2s Edit <2php echo st; 
?>&nbsp;content</div>’; 


echo ‘<form action="amendcontent.php” method="post”>’; 


// Get the schema for that particular table 


oe 
Ss 


ssql[1]; 
Ste replaced) =——h0s= =) Oe en) 


Sesetilic = wysoll weiechucoins (os) 5 


Sdivstart = ‘<div class="inputname”>’; 
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echo ‘<input type="hidden” name="update” 


Valiie=" ote 7S 


foreach (Sresult as Srow) { 


// Loop through each field and build the form 


fields depending on the field // 
Eye 

Stield = Srowl[1]; 

Sfieldtype = Srow[4]; 


if (lin array (Sield,  Sskipilist))) 
if (Sfieldtype == “varchar”) { 
echo Sdivstart wehnsin( Shield). <7 
dive-<inpur class="varchar” 
type="text” name="' .Sfield. ‘”><br />'; 
jelseif (Sfieldtype == “int”) { 
Ccho Scivstart Uchvst (siteld) 2 </ 
div <inpuk class= ink” 
. Sfield. 


type="text” name="" wer 


jelseif (Sfieldtype == “text”) { 
echo Sdivstart Wchirst (Stiela) 2° </ 

div><textarea rows="10” cols="30” 

Class—"“textarea mame—"" Neotielda o></ 


textarea><br />’; 
}else { 
// Shouldn’t get here 
echo ‘Error field(*.Sfield.’ ) ee 


SOwilahe ewes SOW ol] wee alice 


SLOW. it a -Lowlol «or 


es 


i) Waliaiela, seeren eualel erelel Wee eeu 


echo ‘</select>’; 

echo ‘<input type="submit” value="Save changes”>’; 

echo ‘</form>’; 

echo ‘</div></div>’; 

echo ‘<div id="licence”>’; 

echo ‘<a href="licence.txt” title="Copyright and licence 
details”>Copyright &copy; VATS! 

Rob Somerville me@merville.co.uk</ 

dos 


echo ‘</div>’; 


FUNCt Von bul ld page ji pose), 
// BTML 
echo ‘<div id="content”>’; 


echo ‘<div id="php”>’; 


@cho “<div ad=1l" > 3. Seve contenr</civ> = 


echo ‘<ul>’; 


foreach (Spost as Skey => Svalue) { 


// Just loop through and dump out values - we need 
to validate before adding to DB 


echo “<li> .skey./ </b>.” “.evalues’ 11>? 


i/ end OF form 


echo *</ul><br >"; 
echo ‘<a href=”amendcontent.php”>Return to add content</ 


a>’; 


SCno. <7dig diy 

echo ‘<div id="licence”>’; 

echo ‘<a href="licence.txt” title="Copyright and licence 
details”>Copyright &copy; 2013 Rob 
Somerville me@merville.co.uk</a>’; 


echo ‘</div>’; 
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Replace the code in (Listing 1) with the code in (Listing 2) 
and modify preload.js as well as global.css to match (List- 
ing 3) and (Listing 4). This will provide the menu as shown 
in (Figure 2 & 3). 

Add jquery support for each menu: Listing 3. Add some ad- 
ditional CSS so that the individual menus line up: Listing 4. 


Step 2 - Create the menus table 
In MySQL, create the menus table (Listing 5). Populate 
with some basic menus (Listing 6). 


Step 3 - Build the amendcontent page 
The amendcontent page is a PHP script that allows the us- 
er to add new content to the CMS. As we have not validat- 


Listing 8. additions to global.css 


#tphp { 
min-height: 640px; 
margin-top: 160px; 


svarchar { 
background-color: #ced8f8; 
border: lpx solid #FFF; 
} 
SEGUE | 
background-color: #cef8f5; 
border: 1px solid #FFF; 
} 
.textarea { 
background-color: #e3f£3dc; 
border: 1px solid #FFF; 
} 
.inputname { 
color: tomato; 
font-size: 12px; 
width: 100px; 
float: left; 
font-weight: bold; 


Figure 4. Select the table to edit 


www.bsdmag.org 


Group Crows hace 
Wacuttla Mestu LiEle 
Titeur! https! haw. goagie.comn 


a 


3: Save content 


Updale: Menus 

group: Group name 

menutitle: Menu title 

eur: Pits Ww Wid POC HE COM 
SSUES FeLi 

Ssubmenutitheurl: 

order: 12 


enadied: 1 


Retuin to add content 


Figure 6. What will be saved 


Useful links 

« Jquery UI source — http://queryui.com/resources/download/ 
Jquery-ui-1.10.3.zip 
Jquery menu reference — http://queryui.com/menu 
PHP manual — http://php.net/manual 


ed the user input yet, we'll just capture the input for now. 
Create a new PHP file called amendcontent.php in the root 
directory where index.php is already saved (Listing 7). 

We need to add a small modification to global.css to line 
up the fields (Listing 8). Now visit http://voursite/amend- 
content.php and you will have a dynamic form ready to 
save data to any table in the CMS. See (Figure 4-6). 


In the next article 

We will use the data from the menu tables to populate the 
Jquery menus and write some validation code for the user 
input prior to saving to the database. 


ROB SOMERVILLE 

Rob Somerville has been passionate about technology since his ear- 
ly teens. A keen advocate of open systems since the mid-eighties, he has 
worked in many corporate sectors including finance, automotive, air- 
lines, government and media in a variety of roles from technical support, 
system administrator, developer, systems integrator and IT manager. 
He has moved on from CP/M and nixie tubes but keeps a soldering iron 
handy just in case. 
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A Closer Look at the 
Changes in PC-BSD/ 


TrueQS 9.2. Part 2 


Directory encryption using PEFS 


iS 


ast month we took a look at how PC-BSD is im- 
| plementing ZFS boot-environments, which can be 

a life-saver for both servers and desktops. This 
month we will be looking at how PC-BSD uses the PEFS 
kernel level file system module to automatically encrypt 
your home directory and its contents, and how you can 
manually run PEFS for other sensitive data. 

Starting in PC-BSD 9.2, the default encryption pro- 
vider has been switched to PEFS, which has also been 
merged into the base operating system as the /boot/ 
kernel/pefs.ko kernel module, the /usr/sbin/pefs COm- 
mand, and various libraries. The PEFS system is a ker- 
nel level stacked cryptographic file-system authored by 
Gleb Kurtsou. Because it is provided as a kernel module, 
it does not require any user-level daemons to function, 
and can run on top of existing file-systems such as ZFS 
in the case of PC-BSD or TrueOS. It includes other nice 
features such as random cipher tweak values on a per- 
file basis, support for AES / Camellia in XTS mode, and 
more. Since it can sit on top of a ZFS file-system, this en- 
sures that all the data stored by ZFS, including in snap- 
shots, is encrypted and will stay encrypted when perform- 
ing functionality such as a zfs send to a remote backup 
server. This is a key feature of performing snapshots/rep- 
lication with PC-BSD’s new “Life-Preserver’” utility. It en- 
ables you to safely transmit data to a remote machine 
(over SSH), without having to explicitly trust that the re- 
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mote system will take the necessary steps to re-encrypt 
your ZFS data, as in the case of GELI encryption. 
Another key feature of PEFS is its inclusion of a PAM 
module for login decryption of a user’s home-directory. So 
what does this look like? During the first time setup of PC- 
BSD, or when adding additional users, you will now be 
presented with a new option to “Encrypt user files’. 


Create a User 
Ens Moore Name 


serine 


krone 


Password 


"| Password (Repeat) 


¥ Encrypt user files 


Figure 1. Setting up a newuser with home-directory encryption 


By enabling the “Encrypt user files” option, anew PEFS 
mount-point will be created on top of your home-directory, 
in this case /usr/home/kmoore. The encryption key for this 
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directory will be tied to your specified user password, so a 
password of good length and randomness is encouraged. 
When your user is not logged in, all the files in the home- 
directory will appear encrypted to root and to any other 
users who happen to log into the machine. 


.W_bhOAJghVP pOra?+d_WOcsdTdtFoNGWSgh 10 lopaPRqh4xs0rNgvsw 
.221 SH_?21lnUa jONBkKLKRe lobbp0Zv2qF 

.amwJrcCQSRLosRTNiBkP iNSbqghVAN71ICW 
.bqgiaiTTVk5sncLrWLaEsxdbbsQuyf pFu4 jBSOqgterpywF fhepbxQ 
.eprLTF9y5Bnob_SHblzicWeCJcb1CCI1F 

-hilmIFpEVtdu3r jSRuvaAgSSREWEBOSCS3SU 

. jUkKVyl?ésPaAzayL+LatWCyxStCéLCFeksmMd j29BCPSPRKDSASVBWSY 
. joghwF4e?/U7UF TucUA1K93a l nAbf WY jrNRZGORBAYybFhee2gyC LEZBAA 
.miUcfumggz+o0GGRcULk64ksTxvRhkSvt 

.pefs.db 

.qgTWilloxun jJBLbdtqgikuZVOliBpskobRa 
_.s+JE+AHWbxthWHvodgq6a+Gs2Z joUnnKsf 

.s_OpuhcUmbUf iU2ZH10JcopuaDQnUzNyQ 

.u¥YbxvillolQ2 p+ lirPAb?STARY juyf e2xCQHlUqQw2e?sAKHUKa4ZaSaA 
.VTPAVIGppqv533zPONpLbviEbwiz jN+u 

.WO?7 DN+WzaWy i pOEYZSUYOkJwsyBZJSgORDFsoSVDSKEp2G+Fx_gEsg 
.xNzEtveLmrn+c3sC iOmppmQMNS83dVUcFek 
.*sO1400sohOWEwuui Fi khofblRAlTphr2auldJcHzrLjiLocbhQwhh_oé5sg 
[root@titan] “# ls /susr/home/kmoores 


Figure 2. Listing of ahome-directory before login 


After logging into the system as your user, your pass- 
word will be automatically added to the PEFS key chain 
database and your encrypted directory will appear nor- 
mally again. 


Croot@titan] “8 Is /susrehomeskmoores 
.vVboxc llent-seamless.pid 


-cshre _login 

. login_conf 
-dmre Jail aliases SS 10 
esd auth mailre XSESS LOW-errors 
mMounttray.settings .zshre 
-pefs.db 
-profile 


pu lse-cookie 


_rhosts 


. -lient-clipboard. pid 
Vboxe lient-display.pid 


So how does this work behind the scenes? Let us take 
a look at the command-line usage for PEFS and its im- 
plementation on PC-BSD. As an example, we will walk 
through the creation of a new /secret directory on the sys- 
tem, where our user perhaps wants to keep more encrypt- 
ed data with a different passphrase from his login. To get 
started, we will first create the new directory and initialize 
it with the pefs command. 


[rootetitan) -@ mkdir secret 
[rootetitan] -# pefs addchain -f -Z / 
Enter parent key passphrase: 

Reenter parent key passphrase: 
[rootatitan) -# Jj 


ib 
i 
‘5. 
a 
Th 


Figure 4. /nitial setup of the /secret file-system 


Since this is a first-time initialization, and the PEFS 
directory is not yet mounted, we are going to use the 
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-f flag to skip the file-system checks. The -z flag is al- 
So used so we can create a new key-chain with only a 
single “parent” passphrase. This key-chain passphrase 
can then be verified at decryption time to ensure it was 
not mistyped. 


PRO TIP 

In addition to a single password, PEFS also supports 
creating parent / child keys in the keychain; giving the 
parent keys the ability to unlock the child keys, but not 


visa-versa. This allows you a method of creating secu- 
rity-levels in your encrypted data. For more information 
on this, take a look at the following wiki page: https:// 
wiki.freebsd.org/PEFS. 


With the initial chain created, if you take a look at the / 
secret directory, you will see that the *.pefs.db’ key chain 
database file has been created, which is the only file that 
will need to exist underneath the PEFS mounted directory. 


[roota@titan) -# 1s /secret/ 
-pets.db 
[reotatitan] -* J 


Figure 5. Verifying the contents of /secret before mounting PEFS 


Now all that is left to do is to mount the PEFS file-sys- 
tem, and add the passphrase we just created. We can 
then look and still see the .pefs.db file, and see that the 
“pefs” file-system has been mounted successfully. This 
may be a good time to copy the ‘.pefs.db’ file to a secure 
location, in case of accidental deletion. Note the usage of 
the -c flag ON pefs addkey. This will enable a test ensur- 
ing that the passphrase entered is indeed the correct one 
from the key database. 


{reotetitan) -# pefs mount /secret /secret 
{rootetitan) ~# pefs addkey -c /secret 
Enter passphrase: 

{reotetitan) -# 1s /secret/ 

-.pefs.db 

[root@titan]) -# mount | grep '/secret' 
/secret on /secret (pefs, local) 
[rootetitan] ~# J 


Figure 6. Mounting PEFS and verifying the database file 


With PEFS now mounted and ready, it is always a good 
practice to test your new setup before you begin using it 
with critical data. Next we will create a test file, verify it, re- 
move our active encryption key, verify the encryption, and 
decrypt the directory again (Figure 7). 

Lastly, we can setup the /secret directory to automati- 
cally have PEFS mounted at reboot. To enable this, you 
can add the directory you wish to re-mount with PEFS to 
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the /var/db/pefs/auto mounts file. (You can safely create 
this file if it does not exist). 


{[rootetitan] ~# echo “testing” > /secret/testing 
[root@titan] ~# cat /secret/testing 
testing 

[root@étitan) ~# pefs flushkeys /secret 
[rootetitan] ~# ls /secret 
-GKk+LL37191hsgM2e49bXS2E110n7kKC+6 .pefs.db 
[root@titan] ~# pefs addkey -c /secret 
Enter passphrase: 

[roote@etitan] ~# 1s /secret 

-pefts.db testing 

[rootetitan] -# J 


Figure 7. Testing the encryption of the /secret directory 


[rootetitan] ~# echo "/secret" >>/var/db/pefs/auto_mounts 
[rootetitan] ~# J 


Figure 8. Enabling auto-mounting of PEFS on /secret 


References 

- Article on PEFS usage / internals — https://wiki.freebsd.org/ 
PEFS 
PEFS Sources — https://github.com/glk/pefs 
Original Article on PEFS by the author: Gleb Kurtsou - 
http://glebkurtsou.blogspot.com/2009/09/pefs-crypto-primi- 
tives.html 
PEFS in the FreeBSD ports tree — http:/www.freshports.org/ 
sysutils/pefs-kmod/ 


This method is preferred over a traditional entry in 
/etc/fstab, particularly, to ensure that your PEFS direc- 
tories get mounted last and on top of other late-mount- 
ed file-systems, such as ZFS datasets. With this in place, 
you are now ready to begin using your encrypted direc- 
tory normally. As a fail-safe, the directory is automatically 
mounted read-only, until you unlock it again via the pefs 
addkey -c Command. 

We have taken a quick look at PEFS: How it’s used 
on PC-BSD and how you can manually configure it via 
the command-line. For more information please read 
the excellent wiki article referenced below, or check out 
the source via GitHub. Traditional FreeBSD users may 
also find PEFS in the ports collection under sysutils/ 
pefs-kmod. 
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Intro to ZFS. 
What Is ZFS? 


“The Z file system, originally developed by Sun™ is 
designed to use a pooled storage method in that space is 
only used as it is needed for data storage. It is also designed 
for maximum data integrity, supporting data snapshots, 
multiple copies, and data checksums. It uses a software 
data replication model, known as RAID-Z. RAID-Z provides 
redundancy similar to hardware RAID, but is designed to 
prevent data write corruption and to overcome some of the 


limitations of hardware RAID.” 


py-on-write model. It originates from the OpenSo- 
laris project and first appeared in FreeBSD in 2008. 
ZFS has many innovative features including an integrated 
volume manager with mirroring and RAID capabilities, da- 
ta checksumming and compression, writable snapshots 
that can be transferred between systems and many more. 
FreeBSD’s ZFS file system has been updated by merging 
improvements from the illumos project. 
Current FreeBSD implementation of ZFS is ZFS Pool 
version 28. Here is the history of ZFS releases: 


/ FS is amodern 128-bit file system based on the co- 


¢ 7.0+ — original ZFS import, ZFS v6; requires signifi- 
cant tuning for stable operation (no longer support- 
ed). 

¢ 7.2 — still ZFS v6, improved memory handling, amd64 
may need no memory tuning (no longer supported). 

¢ 7.3+ — backport of new ZFS v13 code, similar to the 
8.0 code 

¢ 8.0 — new ZFS v13 code, lots of bug fixes — recom- 
mended over all past versions (no longer supported). 

¢ 81+-—ZFS v14 

¢ 8.2+-—ZFSv15 

¢ 8.3+-— ZFS v28 

¢ 9.0+ — ZFS v28 


s BSD 


ZFS features : 


¢ pooled storage (integrated volume manager) 
¢ transactional semantics (copy-on-write) 

¢ checksums and self-healing (scrub, resilver) 
¢ scalability 

e instant snapshots and clones 

¢ dataset compression (Izjb) 

¢ simplified delegable administration 


Basic ZFS concepts 

The ZFS file system uses two main objects: Pools and 
Datasets. A ZFS pool is a storage object consisting of vir- 
tual devices. These ‘vdevs’ can be: 


¢ disk (partition, GEOM object, ...) 

¢ file (experimental purposes) 

¢ mirror (groups two or more vdevs) 

¢ raidz, raidz2, raidz3 (single to triple parity RAID-Z) 
¢ spare (pseudo-vdev for hot spares) 

¢ log (separate ZIL device, may not be raidz) 

¢ cache (L2 cache, may not be mirror or raidz) 


Each ZFS pool contains ZFS datasets. ZFS dataset is a 
generic name for: 
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¢ file system (POSIX layer) 

¢ volume (virtual block device) 

¢ snapshot (read-only copy of file system or volume) 

¢ clone (file system with initial contents of a snapshot) 


For more information about this you can always 
check the handbook (htto:/www.freebsd.org/doc/en__ 
US.ISO8859-1/books/handbook/filesystems-zfs.html). 


Requirements for this tutorial: 


¢ FreeBSD production release (9.1) 

¢ Around 512 MB of disk space (for simulating disks) 
¢ Atleast 1 GB of RAM 

¢ Root account 


Purpose of this tutorial 

The purpose of this tutorial is to explore some ZFS fea- 
tures in a safe way to grasp the power and flexibility of 
this file system. We will take a look at these basic func- 
tionalities: 


¢ Create a ZFS pool. 
¢ Create a ZFS mirror. 
¢ Simulate a failure on a mirrored disk. 
¢ Replace a disk. 
¢ Adding disks to a mirrored zpool. 
¢ Check I/O on ZFS pools. 


Creating Disks and Pools 
To try some ZFS features, first we need to create pools. 
We will use files to simulate real disks so we can test things 
safely. | will use the mkfile(8) utility to create some files and 
use those as disks. mkfile creates one or more files that are 
Suitable for use as NFS-mounted swap areas, or as local 
swap areas. The file is padded with zeros by default. The 
default size is in bytes, but it can be flagged as exabytes, 
petabytes, terabytes, gigabytes, megabytes, kilobytes, or 
blocks with the e, p, t, g, m, k, or b suffixes, respectively. 
Now let’s create some disks! NOTE: If you don’t have the 
mkfile utility, you just need to: Listing 1. 

Here, I’m creating 4 disks of 128MB each as you can 
see in the Is output. 


ZPools 

All ZFS file systems live in a pool, so first we need to cre- 
ate a zpool. We can check pools with the zpool(8) com- 
mand. Before creating new zpools, you should check for 
existing zpools to avoid confusing them with your tutorial 
pools. You can check what zpools exist with zpool list: 


root@apollo:/array # zpool list 


no pools available 
Now let's create a zpool with zpool create: 


root@apollo:/array # zpool create tutorial /array/disk00 


Listing 1. Creating disks 


root@apollo:/ # pkg add -r mkfile 


root@apollo:/ # mkdir array 

root@apollo:/ # cd array 

root@apollo:/array # mkfile 128m disk00 
disk03 


disk0l disk0Z 


GrOOttapOllo:;/array ¢ Is —Irt 
total 524416 


HM aii IPE OO wheels | ls 427) 2.8) aol 29 7 ie ola Gas KONG 
Se root wheel 1342077238 oul 29 21:51 diskol 
SA a IP root, wheel 134207728 Jule 29 Zio disk0z 
Se root wheel) 347177238 wu 29 2 ol dvskts 


Listing 2. Creating a new file on the pool 


root@apollo:/ # mkfile 1m /tutorial/filel 
moCrtapolke 77 “fadks == ihe) wuleo tied 

merce i027 

i OMe oul 2927 24 ale 


1 root wheel 


root@apollo:/ # 


Listing 3. Creating a new zpool 


root@apollo:/ # zpool create example2 mirror /array/ 
disk0007 array/ disk0l 

root@apollo:/ # zpool list 

NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT 

example2 123M Gk eM 0% 1.00x ONLINE - 


root@apollo:/ # 


Listing 4. zpool status 
root@apollo:/ # zpool status 
pool: example2 
Suaue. ONEINE 


scan: none requested 


CONG: 
NAME STATE READ WRITE CKSUM 
example2 ONLINE 0 0 0 
idqal erg e (0) ONLINE 0 0 0 
/array/disk00 ONLINE 0 0 0 
/array/disk01 ONLINE 0 0 0 
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List the current pools: 


root@apollo:/array # zpool list 
SIZE ALLOC 
123M TIK 


CAP DEDUP HEALTH ALTROOT 
1.00x ONLINE - 


NAME FREE 


tutorial 123M 0% 


root@apollo:/array # 


Now let’s use the file system. Create a new file on the 
pool we just created (Listing 2). Here | have created a 
1MB file on the newly created zpool. 


Creating a ZFS mirror 
A pool with only one disk doesn't offer any redundancy. 
Let's create a new zpool called “example2” using a couple 
of disks. We will use the keyword “mirror”. As the name 
states, it will make a mirror using this pair of disks when 
we create the zpool (Listing 3). 

We can check the status of our pools with the zpool 
status Command (Listing 4). 

Let’s create a file again and check the status after that 
(I'll create a 32MB file): 


mkfile 32m /example2/file 
SIZE ALLOC 
123M 32.8M 


CAP DEDUP HEALTH ALTROOT 
1.00x ONLINE - 


NAME FREE 


example2 90.2M 26% 


SO now we have our data stored redundantly over the 
two disks. 


Simulating a disk failure 

Not everything is nice and calm. Sometimes bad things 
happen to good people, like a disk going bad at 3 a.m. 
Let's simulate a disk failure. For that I'll overwrite the first 
disk label with random data: 


root@apollo:/ # dd if=/dev/random of=/array/disk0l1l 
bs=1024 count=1 

1+0 records in 

1+0 records out 

1024 bytes transferred in 0.029959 secs (34180 bytes/sec) 

In case you don't know about the da(1) Command, here 

is what it does: 

“The dd utility copies the standard input to the standard 
output. Input data is read and written in 512-byte blocks. If 
input reads are short, input from multiple reads are aggre- 
gated to form the output block. When finished, dd displays 
the number of complete and partial input and output blocks 
and truncated input records to the standard error output.” 

So | wrote a one-time block size of 1024 bytes from 
/dev/random to our disk01. 


Listing 5. scrub command 


root@apollo:/ # zpool scrub example2 
root@apollo:/ # zpool status 
pool: example2 
Stare, DEGRADED 
status: One or more devices could not be used because 
the label 1s missing or 
invalid. Sufficient replicas exist for the pool to 
continue 
functioning in a degraded state. 
action: Replace the device using ‘zpool replace’. 
see: http://illumos.org/msg/ZFS-8000-4J 
scan: scrub repaired 0 in OhOm with 0 errors on Mon 


Dude ee BU G7 550s 


CONG): 
NAME STATE READ WRITE CKSUM 
example2 DEGRADED 0 0 0 
mirror-0 DEGRADED 0 0 0 
/array/disk00 ONLINE 0 0 0 


2422 90/9 LO000L6Cs1 7] UN 


errors: No known data errors 


Listing 6. zpool attach 


root@apollo:/ # zpool attach example2 /array/disk00 / 
array/disk0l 
root@apollo:/ # zpool status example2 
pool: example2 
stave. ONLINE 
scan: resilvered 54.4M in 0hOm with 0 errors on Tue 


Vic SOS S262 0 Ie 


Comiige 
NAME, STATE READ WRITE CKSUM 
example2 ONLINE 0 0 0 
ifglal ieee (0) ONLINE 0 0 0 
/array/disk00 ONLINE 0 0 0 
/array/disk01 ONLINE 0 0 0 


errors: No known Geta errors 


Listing 7. Adding a disk to a Mirrored Zpool 


root@apollo:/ # zpool add example2 mirror /array/disk02 
/array/disk03 

HOCECapOllo:/ 4; zoocl dist 

CAP DEDUP HEALTH ALTROOT 


ie Ox 


SIZE ALLOC FREE 
Po2M Zs 


NAME 
example2 246M 54.4M 
root@apollo:/ # 


ONLINE - 
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Listing 8. zpoo! status example2 


root@apollo:/ # zpool status example2 


pool: example2 


ferences 
https://developer.apple.com/library/mac/documenta- 
tion/Darwin/Reference/Manpages/man1/dd.1.html 
http://www.freebsd.org/doc/en_US.ISO8859-1/books/ 


Re 


state: ONLINE handbook/filesystems-zfs.html 
scan: resilvered 54.4M in Oh0Om with 0 errors on Tue Jul 30 http://manned.org/mkfile/96d2b7e1 
09:15:26 2013 
Cemiige 
NAME STATE READ WRITE CKSUM Now let’s erase our file and create a new one to 
example2 ONLINE 0 0 0 simulate a new disk: 
iene 0) ONLINE 0 0 0 
/array/disk00 ONLINE 0 0 0 root@apollo:/ # rm /array/disk0l 
/array/disk01 ONLINE 0 0 0 root@apollo:/ # mkfile 128m /array/disk0l 
jij ueieieone IL ONLINE 0 0 0 
/array/disk02 ONLINE 0 0 0 To attach another device, we specify an existing de- 
/array/disk03 ONLINE 0 0 0 vice in the mirror to attach it to with zpool attach 
(Listing 6). If you do type zpool status fast enough, 
errors: No known data errors after you attach the new disk, you will see a resil- 
ver (remirroring) in progress with zpool status. 
Listing 9. Zpool jostat -v Once the resilver is complete, the pool is healthy 
root@apollo:/ # zpool iostat -v again (you can also use 1s to check the files are still 
capacity operations bandwidth there): 
pool ail tere free read write read write 
SSS SS SHSSSHSSSHS= SSSSS SESS5 SHS55 SShe>  Seese SSess root@apollo:/ # 1s /example2/ 
example2 54.4M 192M 0 0 1.44K 70 file file2 
ies Lagieone 54.4M 68.6M 2 5 3K Oak 
/array/disk00 - - 0 0 2.31K 2.16K Adding a disk to a Mirrored ZPool 
/array/disk01 - - 0 5 21a 200K You can add disks to a zpool without taking it offline 
mirror 14.5K 123M 0 0 0 307 (Listing 7). 
/array/disk02 - : 0 0 268 26.2K This happens almost instantly. Now zpool status 
/array/disk03 - - 0 0 268 26.2K returns that we have a pool composed of two mirrors 
mannan nnn nn nn nn ne nnnn- nnn wenn wn ne- -e---  ----- (Listing 8). 
ZFS automatically checks for errors when it reads/writes Checking I/O on ZPools 


files; we can force a check with the scrub command (List- 
ing 5). We messed up the disk, so it shows as UNAVAIL, 
but no errors are reported for the pool as a whole: 
“Sufficient replicas exist for the pool to continue func- 
tioning in a degraded state.” 
We still can read and write to the pool: 


root@apollo:/ # 1s -lrt /example2/ 
total 32/79 


1 root wheel 33554432 Jul 29 22:41 file 


Replacing a disk 
Let's take out the bad disk from the pool using the detach 


command: 


root@apollo:/ # zpool detach example2 /array/disk0l 
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lf we need to check IO on our pool, we have the zpool 
LOStat 37 (Listing 9). 

All the data is currently written on the first mirror pair, 
as the second pair did not exist at the time the article was 
written. 

That is all for this tutorial. Much more information on 
ZFS can be found in the following links : 


http://docs.oracle.com/cd/E19253-01/819-5461/ 
http://www. solarisinternals.com/wiki/index.php/ZFS _ 
Best_Practices_ Guide 

httos://wiki.freebsd.org/ZFS Tuning Guide 
http:/wiki.illumos.org/display/illumos/illumos+Home 
http://manned.org/ 
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FreeBSD on XenServer 


In this article, we will learn the caveats in deploying FreeBSD over 
XenServer and the advantages over the traditional schema to 
improve administration, provisioning and delivery times. 


What you will learn... 
¢ Installation of FreeBSD in XenServer. 
« Optimization of FreeBSD for XenServer. 


easy to manage, easy to update, very well doc- 

umented and has outstanding performance. All 
those reasons made me choose it over other Unix-like op- 
erating systems many years ago. However, configuration 
is time consuming and | wanted to reduce that in order 
to improve provisioning to replicate environments. After 
some research, | decided to use XenServer because it 
is used in many companies, plus it is free. This article 
shows how to install and customize FreeBSD over Xen- 
Server to achieve the maximum performance and improve 
administration, provisioning and delivery time, something 
critical in today’s world of Cloud Computing. 


7 reeBSD is an excellent platform; it is rock solid, 


FreeBSD Virtualization 

Virtualization is a technique to implement resource separa- 
tion and isolation of one physical computer into multiple en- 
vironments called Virtual Machines. There are many tech- 
niques to implement this functionality with different benefits 
and their respective problems. This document is not a com- 
plete overview of FreeBSD virtualization or virtualization in 
general, but a review of some important information to un- 
derstand where we can use XenServer, plus FreeBSD. 


Virtual machines 


This technique is designed to emulate hardware to run 
different operating systems on the same host computer. It 
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What you should know... 

« How to sync the source and build world and a custom kernel. 
- XenServer management through XenCenter and console. 

« FreeBSD installation procedure. 


is the most used technique and we can test it using tools 
like VirtualBox, QEMU, and other virtual machine imple- 
mentations. Here, each VM, or guest, runs without modi- 
fications because the virtualization software emulates the 
hardware and the guest is not aware that it is not running 
on real hardware. This is an unnecessarily heavy solution, 
but it’s the best option if we want operating systems like 
Windows to do our tax report from BSD platforms. 


OS level virtualization or Jails 

This technique is a layer on the Operating System designed 
to isolate environments inside the main system. You have a 
base system with many environments working on the same 
platform version, for example, FreeBSD 9.1. Each virtual 
machine or jail has its own IP address or addresses with 
processes, system accounts, applications and files exclusive 
for that environment. The advantage of this technique is the 
low overhead of each environment because they share the 
same resources such as memory, CPUs, disks and network, 
while maintaining full isolation. On the other hand, the dis- 
advantages are the same resource sharing since when we 
have a jail with high resource consumption, this can affect 
the performance of another jail or the host in general. 


Paravirtualization 


This technique uses an operating system with a small foot- 
print called a hypervisor, specifically designed to handle 
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resource assignation and interruptions between guests. 
The guest operating systems (or VM) must be adapted 
to be paravirtualization-aware to take full advantage of it. 

The advantage of this technique is that you can run dif- 
ferent operating systems on the same computer without 
the overhead of virtual machines. XenServer fits in this 
kind of virtualization and FreeBSD is paravirtualizations- 
aware through the XENHVM kernel. 

As a side note, the BSD community is working on a hy- 
pervisor called bhyve, The BSD Hypervisor. It is designed 
to support different versions of FreeBSD and it has been 
claimed to run CentOS at BSDCan 2013, so it looks like a 
promising solution. 


Virtual Machine Setup 

The first step, even before we start with the installation of 
FreeBSD, is to download the ISO image with the installer 
and save it in the NFS ISO repository in XenServer. For 
this article, we will be using the FreeBSD 9.1 installer be- 
cause 9.2 has not been released yet. 

To simplify the process, we will be using a Windows ap- 
plication called XenCenter under a virtualized Windows 
and we can begin the installation as you see in Figure 1. 

Because XenServer does not have a specific FreeBSD 
template, we need to follow the “Other install media” op- 
tion and advance to the next screen. We are not providing 
any screenshots for the installation process because it is 
really easy and we are focused on showing you how to 
make FreeBSD work. 

In the next screens, you can choose the amount of RAM 
and vCPUs assigned to the VM. It is important to assign 
plenty of RAM because we will build a custom kernel (and 
world). Once we have finished, we can reassign it to free 
memory for other Virtual Machines. 

Next, we need to create a custom disk and choose the 
right network interface. It is important to create a disk with 
enough space to build world and the custom kernel al- 
though it is possible to increase the size of the disk after 
the initial setup, but it requires additional steps. Later, we 
will explain how to do it. 

Finally, we will see a confirmation screen, as shown in 
Figure 2, with the summary of options. 

If we leave the option “Start the new VM automatically” 
checked, the FreeBSD installer will run immediately as we 
can see in Figure 3. 

And that is all for the VM setup. Next, we will install 
FreeBSD using the XenCenter Console. 


FreeBSD Setup 
Here we will do a common FreeBSD installation without cus- 
tomization options like ZFS or other customized options. 
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Figure 2. VM’s summary options 
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We can leave out the “src” and “ports” components from the 
install because later, we will download the latest versions. 

The only relevant thing here is when we will create the 
partitions because, as mentioned previously, if disk resiz- 
ing is desired, we will need to leave root, or the growing 
partition at the end of the list. In that way, we can resize 
the disk in XenServer and the UFS partition (using growfs) 
without problems. 

You can check the setup used for this case in Figure 4. 

After finishing the installation, the first thing we need to 
do is shut down the VM and remove the CD/DVD drive 
from the VM. This is not required yet but it is a must when 
we build the custom HVM kernel otherwise we will receive 
the message “run_interrupt_driven_hooks: still waiting af- 
ter X seconds for xenbusb_nop_confighook_cb” continu- 
ously, and it will never boot. To do this, first login to the 
XenServer console and run the commands on Listing 1. 


Bp Gener | Moret | Henge  Networketg Cengehe 


C Reaerrifebe | Sade | Logi. 
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Figure 4. FreeBSD partitioning 


Remember to run the xe vbd-destroy command with the 
VM shutdown otherwise you will get the message “You at- 
tempted an operation that was not allowed.” 

We can now turn the VM on and log in as root. The 
next step is to install subversion to do the checkout of the 
source, build the “world” and XENHVM kernel as seen in 
Listing 2. After compilation, we must change the final set- 
tings before restarting. The first one is updating the net- 
work interface in rc.conf from “ifconfig_reX” to “ifconfig_ 
xnX” because an HVM kernel renames the interface to 
xnX. If we wish to do offloading, we can add the flags “-tx- 
csum -rxcsum -lro -tso” also. 

| have read on the freebsd-xen mailing list that if you are 
using pf, you must Set net. inet.tcp.tso=0. 

Also, many websites write about the need to update 
the fstab and change all the references from “adaxX” to 
“adX”, but in this version of XenServer (6.2) and FreeBSD 
(9.x), it was not required. You can leave your fstab as it is. 
Check Listing 3 for further information. 

Now we can restart the VM using shutdown -r now and 
we will boot using the new HVM kernel and the latest 
version of FreeBSD. At the moment of this writing, it is 
9.2-PRERELEASE. 

Maybe you're wondering why I’m going through all this 
trouble when a vanilla FreeBSD will work great on its 
own? The reason is performance and support. 64-bit Intel/ 
AMD (amd64) kernels are only supported using HVM and 
the performance gain is through PV drivers, supported in 
HVM configurations. 


Virtualization advantages 

Now after having a FreeBSD VM completely configured, 
we must comment on the advantages over a traditional 
setup. The more notable are variety of versions, securi- 


Listing 1. Destroy CD/DVD from the VM 


# find the uuid for the VM 

[root@xenserver ~]# xe vm-list name-label=’FreeBSD HVM’ 

BbBibich (2 a(@)) 
name-label ( RW): FreeBSD HVM 


power-state ( RO): running 
# get the uuid for the CD/DVD 
uuid ( RO) > 3419ad05-7502-5344-1458-568b945e9646 


# destroy the CD/DVD 


[root@xenserver ~]# 


: 8££002a0-3f79-alb4-96fa-5e213143ea25 


[root@xenserver ~]# xe vbd-list vm-uuid=8ff002a0-3£79-alb4-96fa-5e213143ea25 device=hdd params=uuid 


[root@xenserver ~]# xe vbd-destroy uuid=3419ad05-7502-5344-1458-568b945e9646 
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ty and isolation, backup and finally, provisioning. By va- 
riety of versions, | mean different versions of FreeBSD 
like 7, 8, 9 or CURRENT, and other variants of BSD like 
OpenBSD and NetBSD — something impossible to do us- 
ing only jails. Next, although we have jails and chroot to 
do security and isolation and they have plenty of benefits, 
this kind of isolation allows us to restrict the amount of 
resources, such as memory and CPU by VM, not just by 
user or group of users. 

Backup is more robust to do because we receive the 
benefit of full VM snapshots. It is easier to back up the en- 
tire VM before doing something risky and if that test does 
not work, return to the previous state. 

| know we can do something similar using UFS or ZFS 
snapshots. But the problem is that they are still inside of 
the operating system/filesystem while VM’s snapshots are 
outside of the OS, giving us other advantages such as the 
possibility of creating new VMs using them. 

The advantages for provisioning are enormous because 
with one snapshot from a guest, we can create images 
and templates with a different stack of applications and 
services such as web, mail, file servers, etc., and then use 
those to create environments for development, testing, 
quality assurance and production — all in a matter of min- 
utes and not hours/weeks as in a traditional deployment. 

Another advantage in using XenServer is the integration 
with Cloud Stack to give customers a self-service portal. 


FreeBSD on XenServer 


On the web 

«  http://www.freebsd.org/ — FreeBSD 

¢  http://www.xenserver.org/-— OpenSource XenServer 

- http://bhyve.org - The BSD Hypervisor 

« —http://home.uncon.net/dokuwiki/doku.php?/id=xenserver:freebsd 
— FreeBSD Tweaking 


Summary 

This article was an overview of how to run FreeBSD on 
XenServer to make it more dynamic and easy-to-manage, 
more efficiently, with more control, isolation and better re- 
source assignation, all to improve our services and cus- 
tomers’ experience. 
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Listing 2. Build the custom kernel and world 


root@freebsdhvmdemo:/root # pkg add -r subversion 


fooler reebscnvmdemo:/ rook + renach 


/usr/src/Makefile 

/usr/src/sys 

/usr/src/sys/boot 
/usr/src/sys/boot/Makefile.inc 
/usr/src/sys/boot/Makefile.amd64 


PP PrP SP PS Pe 


/usr/src/sys/boot/common 


root@freebsdhvmdemo:/root # make buildworld 


root@freebsdhvmdemo:/root # make buildkernel KERNCONF=XENHVM 


root@freebsdhvmdemo:/root # make installkernel KERNCONF=XENHVM 


Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.1l-release/Latest/subversion.tbz... 
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.1-release/All/expat-2.0.1 2.tbz... 
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.1-release/All/pkgconf-0.8.9.tbz... 


Dome: 
Done: 


Done. 


root@freebsdhvmdemo:/root # svn checkout http://svn0.us-west.FreeBSD.org/base/stable/9 /usr/srce 


root@freebsdhvmdemo:/root # mergemaster -p 


root@freebsdhvmdemo:/root # make installworld 


root@freebsdhvmdemo:/root # mergemaster 


root@freebsdhvmdemo:/root # make delete-old 


Listing 3. fstab 


# Device Mountpoint Pass# 
/dev/ada0p2 


/dev/ada0p3 / 


FStype Options 
sw 0 0 


Dump 
none Swap 
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Neobot is one of several Betabots. All 
Ze Betabots are advanced chatbots that use 
tegee=, the Pysh engine and read Xaiml files. The 
ti Zoe,  Betabots, Pysh, and Xaimlare still 
gi MiP y developing technolgies made by Devyn 
gee ~=—Ss Collier Johnson. Neobot and the Xaiml 

specification can be Found here https:// 
launchpad.net/neobot 


| make many wallpapers For Free. TY, 
Come check them out http:// y 
gnome-look.org/usermanager/ A 


search.php? 
username=DevynCJohnson 
| write articles for Linux.org. Come 
check out the place and enjoy the 
site. Linux.org offers Forums and 
tutorials as well as informative 
articles. 


Want me as your writer? Email me your 
name, website/company, email address, a 
list of desired articles (topic,article size, 
and so on), and payment method/amount. 
Feel Free to ask me further questions. To 
learn more about me, go to this site 
(https://launchpad.net/~devyncjohnson-d). 
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